{ "type": "Domain", "indicator": "buffer.data", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/buffer.data", "alexa": "http://www.alexa.com/siteinfo/buffer.data", "indicator": "buffer.data", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3614001289, "indicator": "buffer.data", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69d5a8def91087434d1df14b", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T02:06:12.150000", "created": "2026-04-08T01:01:18.419000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 197, "FileHash-SHA1": 135, "FileHash-SHA256": 186, "URL": 192, "YARA": 55, "hostname": 259, "domain": 57, "CIDR": 5, "email": 9, "IPv4": 221 }, "indicator_count": 1316, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5a8ed39cff9923a6487f7", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T01:47:03.801000", "created": "2026-04-08T01:01:33.948000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 77, "FileHash-SHA1": 51, "FileHash-SHA256": 100, "URL": 144, "YARA": 55, "hostname": 183, "domain": 43, "CIDR": 5, "email": 7, "IPv4": 149 }, "indicator_count": 814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5a8e09ff941be26eaec9c", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T01:47:02.694000", "created": "2026-04-08T01:01:20.099000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 77, "FileHash-SHA1": 51, "FileHash-SHA256": 100, "URL": 144, "YARA": 55, "hostname": 183, "domain": 43, "CIDR": 5, "email": 7, "IPv4": 149 }, "indicator_count": 814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681f89cbab1a4574c464ad5b", "name": "f83991c8-f2d9-5583-845a-d105034783ab", "description": "https://www.virustotal.com/gui/file/e79f57b603370d4cd4ab1d757833995b89c7d79c9071c75d72c6d082ba0a7ea4/detection\nA chronology of key events in the history of the United States:-1.1-2 January 2020.. and 1 February 2021.. (c.9/11):.", "modified": "2025-05-10T17:15:55.933000", "created": "2025-05-10T17:15:55.933000", "tags": [ "detects", "xored url", "roth", "nextron", "deepgit", "avast software", "gmbh", "perl dev", "digiread", "avid editor", "confuserex mod", "aspirecrypt", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 17, "YARA": 53, "URL": 55, "domain": 4, "hostname": 7, "CVE": 1 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9f3def74f96146bc342d5", "name": "cobalt_loader_unpacked.exe", "description": "A guide to the Cobaltloader, a 32-bit executable for Windows, has been published by the University of Oxford.. and its website is published on the same day as the release.", "modified": "2025-02-10T12:41:02.752000", "created": "2025-02-10T12:41:02.752000", "tags": [ "sha256", "sha1", "size", "ms windows", "copy ssdeep", "copy imphash", "call", "imagescnmemread", "imagescncntcode", "e5a596d6h", "rsp20h", "e5a595f0h", "e5a595dch", "rsp10h", "rsp18h", "rsp04h", "rsp08h", "rsp0ch", "rax05h", "themida", "thumbprint md5", "serial number", "vs2022", "symantec time", "stamping", "from", "algorithm", "thumbprint", "globalsign root", "submission", "w5k0fa2", "connection", "i64d", "http", "userprofile", "studio", "ldap", "detail", "cdecl sol", "socks5 connect", "ca file", "error", "class", "combo", "delta", "bind", "unknown", "void", "rest", "problem", "procin", "httpports", "ipv4 address", "homenet", "externalnet", "tgi hunt", "curl", "ip address", "et hunting", "dotted quad", "clientendpoint", "perimeter", "hunting", "informational", "policy", "outbound", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA256": 177, "FileHash-SHA1": 7, "YARA": 52, "email": 7, "IPv4": 38, "URL": 154, "domain": 14, "hostname": 58 }, "indicator_count": 530, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "433 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "645c128e527a0d3c9e97de8b", "name": "TinyURL & m.strpe.network", "description": "This page uses the non-standard property \u201czoom\ufffd\u201d along with the property \"transform-origin: 0 0\u2019s effect on the shape of the image, as well as the number of letters and numbers. the twitter cdn image is the only tinyurl of mine that has the redirect hijacked ( tinyurl.com/4mm926ty ) but it's a valid source. (reference 2).", "modified": "2023-05-11T01:44:37.555000", "created": "2023-05-10T21:54:22.070000", "tags": [ "declaration", "ruleset", "error", "gethttps", "msthumb", "background", "msvalue", "http3", "xhrgethttps", "stripem", "strong", "pdfs", "pdf pdf", "finance legal", "get started", "pdffiller", "pdf api", "api pricing", "convert", "tax guide", "contact", "form", "powerful", "turn", "alliance", "solve", "accept", "communicating", "confuserex mod", "aspirecrypt", "detects", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "silent install", "smartassembly", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "XML", "Header", "mitm" ], "references": [ "console-export-2023-5-10_16-0-16.txt", "pbs.twimg.com/media/FtL4fsoWAAA3Z4M?format=png&name=small" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "TinyURL", "Twitter" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaaayson", "id": "217407", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217407/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4, "FileHash-SHA256": 21, "FileHash-MD5": 3, "URL": 3, "YARA": 49, "domain": 5 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1074 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c1cb43d0ebf6da70265159", "name": "PDfffiler?", "description": "Content Deception Network v2", "modified": "2023-02-12T17:57:55.301000", "created": "2023-01-13T21:21:07.056000", "tags": [ "strong", "pdfs", "pdf pdf", "finance legal", "get started", "pdffiller", "pdf api", "api pricing", "convert", "tax guide", "contact", "form", "powerful", "turn", "alliance", "solve", "accept", "communicating", "confuserex mod", "aspirecrypt", "detects", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "silent install", "smartassembly", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "XML", "Header", "mitm" ], "references": [ "Jaaayson - Analyzing PDfffiler.com.json", "indicator_packed.yar", "undefined.csv", "https://www.pdffiller.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Twitter" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jaaayson", "id": "217407", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217407/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3, "URL": 3, "FileHash-SHA256": 21, "FileHash-MD5": 1, "YARA": 49, "domain": 4 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "1162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "pbs.twimg.com/media/FtL4fsoWAAA3Z4M?format=png&name=small", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "Python Image Load By Non-Python Process.yml", "http://www.jelenia-gora.so.gov.pl/", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "undefined.csv", "Windows_Trojan_Tofsee.yar", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "console-export-2023-5-10_16-0-16.txt", "https://rdap.arin.net/registry/entity/CLOUD14", "Potential Python DLL SideLoading.yml", "https://www.pdffiller.com/", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "Suspicious New Service Creation (1).yml", "https://www.jelenia-gora.so.gov.pl/", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://www.jelenia-gora.sr.gov.pl/spacer", "Jaaayson - Analyzing PDfffiler.com.json", "indicator_suspicious.yar", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6", "indicator_packed.yar", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "", "Therat", "Serwer" ], "industries": [ "Twitter", "Tinyurl" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69d5a8def91087434d1df14b", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T02:06:12.150000", "created": "2026-04-08T01:01:18.419000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 197, "FileHash-SHA1": 135, "FileHash-SHA256": 186, "URL": 192, "YARA": 55, "hostname": 259, "domain": 57, "CIDR": 5, "email": 9, "IPv4": 221 }, "indicator_count": 1316, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5a8ed39cff9923a6487f7", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T01:47:03.801000", "created": "2026-04-08T01:01:33.948000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 77, "FileHash-SHA1": 51, "FileHash-SHA256": 100, "URL": 144, "YARA": 55, "hostname": 183, "domain": 43, "CIDR": 5, "email": 7, "IPv4": 149 }, "indicator_count": 814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d5a8e09ff941be26eaec9c", "name": "VirusTotal Windows Sandbox", "description": "A security alert has been launched by InQuest Labs R&D at the University of California, San Francisco, to investigate the use of Base64 as an address for web addresses and links on the internet. Jd- 3b5074b1b5d032e5620f69f9f700ff0e\n0e07085e04cc7020652995b536fd99a7\n123402a56d3e6b49eb471ee3bd1ccd0d\n131ae075b4ea025e4cac3262abc1cc51\n16896e98512813240dde29439b9dbabb\n2823dc3a4a78c0e45d279d052945dddf\n28a2c9bd18a11de089ef85a160da29e4\n34974b6437558a9b630f17e562868970\n4aad38bb2ab12dfcf77b45dfcad42801\n54af8c5e2731171ab2e103b55fad6ba0\n6316bde54a7388dd96416355e16bbec6\n7d9ca857e500f919822d02e907fd376c\n7fa57cdb6989cc29c9c6e05c1f98a04d\n843d00145c833145305dfd86a9944d47\n9cea5dc0fe8092f4d251f17e173dab20\nadc58c2ebe33331d81758c4ab4eb2091\nb190d3580b6b75594a7d53e0ab7b075c\nb95fd39f922163b94b40d5b7605fe0c9\nd1352a4605e4f045b6f78681227160ca\nd786947b5d04c6705014803f265cc73f\ne16530d7c64d3654ba93408c8d6aff9a\ne4c8aa0e70185e550a8d64e1408e2ccd\nedfa0ce8dc4638c67a6818cf469dbf3f\nf4ce811849cf8ad158970c1b18a2d457", "modified": "2026-04-08T01:47:02.694000", "created": "2026-04-08T01:01:20.099000", "tags": [ "sha256", "ssdeep", "zizqw3g tlsh", "csv text", "magic csv", "magika csv", "file size", "x32gwm", "inquest labs", "base64", "x2bx2fx38x39", "x2bx2fx39wz", "writefile", "readfile", "isbadreadptr", "setfilepointer", "windows api", "inquestpii", "loadlibrarya", "shellexecutea", "getprocaddress", "microsoft", "msft nethandle", "net52", "net520000", "msft", "orgid", "msft address", "microsoft way", "city", "stateprov", "microsoft abuse", "contact orgid", "orgdnshandle", "orgdnsref", "orgabuseref", "peering", "orgtechhandle", "domain name", "status", "windows sandbox", "calls process", "id file", "magic", "trid macbinary", "memo file", "apollo database", "engine", "vxd driver", "sybase", "ip traffic", "tls sni", "cname", "default", "cultureneutral", "file type", "mwdb", "bazaar", "sha3384", "inprocserver32", "accept", "shutdown", "win64", "url final", "serving ip", "address", "status code", "body length", "b body", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "shell folders", "parent pid", "full path", "command line", "guard", "pe file", "binary", "contains", "aslr", "https", "performs dns", "network info", "sample", "creates", "window", "malicious", "next", "systemroot", "folders", "k netsvcs", "file execution", "matches rule", "snort", "get https", "medium", "info", "mtu denial", "needed", "df bit", "unique rule", "http requests", "memory pattern", "post https", "dns resolutions", "domains", "urls https", "externalnet", "homenet", "5762", "imageendswith", "dns query", "browser", "nextron", "advanced threat", "imagestartswith", "filesseamonkey", "whale", "fileswaterfox", "filesfalkon" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/657ade511221cda6d5391d6801efbf5857e91e8439319fd70d2a54d02e2697a0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609236&Signature=DeA5O6CTtdDaFLThPBzSDLEN8Osrr52D6l5yCN5bZX5zQjnkvPK3g8QEnK%2FQOZcS6WBDjtPuqSaEsLVXQ652jk0DLtUdQ5x5Tf2QcLEaJo7eeqC27bFTZBED9cwgsbA8rGtb83msJKgxRV6v%2BNcAuehnhhx%2FdluCJQ6wWIHjkCXiGm1h%2FLoJ3zG4VpMtpfFT8yIsc9ooKxbljJx3b7%2BcwgUCUJh%2FTzgrDOFT%2Bk3Oow", "https://vtbehaviour.commondatastorage.googleapis.com/05c0d5df13db7952792ccf35fff2eeea88fd0303e166d5e86285359e5d82163a_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609315&Signature=yID4RduHstM4TRFgmJkPYWfFKEByIyDLVxqxQ4J14L5K%2BPR97Pv9y1EWBhQufdvpTr0Vw69MuXZ7pf6mOhKl%2FZ%2Fd7RkVb8psB0SGRdPOqnNQ8zHDZ%2Bb3EAFlIMTeOT6%2BkM8bZF0v9FOpDPYCVS7qWNIOJqed2CkyLMa3MhOf%2Ba4FV%2BW7nDVf3rWt238pP%2F2wOxHtU6%2F0FTIUjozqyUoW5fF9ePLN5a8CrGmacl", "https://vtbehaviour.commondatastorage.googleapis.com/7b8931f02a86e3c8becd373d08f6a277b1a2d981d0e4d27b341ae56c84bbcd84_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609482&Signature=Io2DgedeXtCfGstTsFSe2TeudaAytkQ3s377BiOyuabRYdRFEUNDBJMGwe0YqA7y4VOpzZBHyl7MbW9%2Bv3C%2BNucxzMbLEBfJtWBO1IqfvlvMqc32cZjqBOtqB1%2B0aTuaucgzSAVc8PC3VvUbZUaFDBFixJjmgzZMxUb6JRGYyAsHHx0k2GvsYa6oL6L38%2Btsk9f7NIov%2F8IxY1Ha%2FRGmaFNnJ61v2jUOsCDihyPELjLRsTui1b", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609722&Signature=WqkdQY8Bmk%2FkZQxgUlRTtxsUV9ifQ20npBPZi66iZhBFkMlTDlpYVSWs8O3Z3cx%2F5o74iHvujaLyqwtmi%2Bomlrw%2BltLOsTWdLJh%2B3qsX8nB2k%2BDK5%2BZRweROecgBuzTre64tr%2FZhora9m8KiyVewHoBS5vT5lew%2FEcps4pYFdDjGDRv4Hxw00%2FUmsEtMCWRSsp8RRd0LM5%2BDSjY3jsbRfPAjcOFfKoStNFYYDPOs", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609756&Signature=Rdmc7zdC8WIeE5au2ytaKCAZzS6CnYteTrJC0XEqLRR%2FmH9EjX7HJojbe74TjvW3GvkxbLs1vG04awZwb0YXxg9D8%2BQ2HRyO5ErFRMIL9LwZLJmqsZ9NIFf7AFbVlyB2%2B6lH0z552NSsdy3n5rXeD8TLXab9D9LGTyXkPBbp%2BOjDpMBmSOYfVgAyJT17UtY7vLGxQ%2FCJsYWEMAAinVDm%2F%2FvT5z%2BIBaROQDm6CRIRomamw57lq08hFK", "https://vtbehaviour.commondatastorage.googleapis.com/bca3236549f740f6582dcd44d5d98465a5a42e784ca5fcece4c9f00b383d12f0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609812&Signature=j%2BmIrkE%2FbH3FNOHyPF0nlsfnFg%2ByHY%2BzIz6oRfDLCGpEPHs4OG%2FiJf5b61rVbsm57qg4xdjsEr4Stv5tGDBKP5OWIT91qaKtVPC2Cqzzv8o6rctKzNZ0zoWD6xMo3PIi3u9ytawP%2Bg2Ub5pJsF2wzyldWroo0FNDHB0Y3xGtAefZxqwSzZQufb9Kn2%2Fy30S9zoWhQXrFWTFr%2FvrszmwbK%2FXSDq2S8HdeXnWpWP", "https://vtbehaviour.commondatastorage.googleapis.com/ea342c4f84120e6a5dfab371f971d4763834a7e306b00c72afc76d8e26783b20_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775609844&Signature=fB7RV8R%2ByVZoiNavtDWQxujcWbqBpR4b5Br4Brs2E2aI%2FR7C6RW2zPdwquB%2FowTDpVFDUkH%2BAzXgsMaTruvatv4qQrjkyqlZxzqogbWxIuVy2X7HVdc%2B5QIi4AiR74Pm8XyuWufmtmILOJKq9JFgYYXfjZSHojqZoN6GDU%2BRxBF%2FMNvfjaapTTJooQB2elVP0DQpD2v1SxCl%2FNQDPTaybrYD5fBMcOnNoQ0KvurH%2BDI6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 77, "FileHash-SHA1": 51, "FileHash-SHA256": 100, "URL": 144, "YARA": 55, "hostname": 183, "domain": 43, "CIDR": 5, "email": 7, "IPv4": 149 }, "indicator_count": 814, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681f89cbab1a4574c464ad5b", "name": "f83991c8-f2d9-5583-845a-d105034783ab", "description": "https://www.virustotal.com/gui/file/e79f57b603370d4cd4ab1d757833995b89c7d79c9071c75d72c6d082ba0a7ea4/detection\nA chronology of key events in the history of the United States:-1.1-2 January 2020.. and 1 February 2021.. (c.9/11):.", "modified": "2025-05-10T17:15:55.933000", "created": "2025-05-10T17:15:55.933000", "tags": [ "detects", "xored url", "roth", "nextron", "deepgit", "avast software", "gmbh", "perl dev", "digiread", "avid editor", "confuserex mod", "aspirecrypt", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 11, "FileHash-SHA256": 17, "YARA": 53, "URL": 55, "domain": 4, "hostname": 7, "CVE": 1 }, "indicator_count": 160, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "344 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a9f3def74f96146bc342d5", "name": "cobalt_loader_unpacked.exe", "description": "A guide to the Cobaltloader, a 32-bit executable for Windows, has been published by the University of Oxford.. and its website is published on the same day as the release.", "modified": "2025-02-10T12:41:02.752000", "created": "2025-02-10T12:41:02.752000", "tags": [ "sha256", "sha1", "size", "ms windows", "copy ssdeep", "copy imphash", "call", "imagescnmemread", "imagescncntcode", "e5a596d6h", "rsp20h", "e5a595f0h", "e5a595dch", "rsp10h", "rsp18h", "rsp04h", "rsp08h", "rsp0ch", "rax05h", "themida", "thumbprint md5", "serial number", "vs2022", "symantec time", "stamping", "from", "algorithm", "thumbprint", "globalsign root", "submission", "w5k0fa2", "connection", "i64d", "http", "userprofile", "studio", "ldap", "detail", "cdecl sol", "socks5 connect", "ca file", "error", "class", "combo", "delta", "bind", "unknown", "void", "rest", "problem", "procin", "httpports", "ipv4 address", "homenet", "externalnet", "tgi hunt", "curl", "ip address", "et hunting", "dotted quad", "clientendpoint", "perimeter", "hunting", "informational", "policy", "outbound", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "loader", "sality", "dnguard" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA256": 177, "FileHash-SHA1": 7, "YARA": 52, "email": 7, "IPv4": 38, "URL": 154, "domain": 14, "hostname": 58 }, "indicator_count": 530, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "433 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "buffer.data", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "buffer.data", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776643082.0121083 }