{
"type": "Domain",
"indicator": "camect.com",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/camect.com",
"alexa": "http://www.alexa.com/siteinfo/camect.com",
"indicator": "camect.com",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3810440348,
"indicator": "camect.com",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 38,
"pulses": [
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T19:05:08.688000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"IPv4": 397,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9,
"IPv6": 32
},
"indicator_count": 14563,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "37 seconds ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e30d748895cd7a5746fd20",
"name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research",
"description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"modified": "2026-04-18T04:49:56.011000",
"created": "2026-04-18T04:49:56.011000",
"tags": [
"injection",
"removal",
"manipulation",
"apt29",
"lab52",
"avertium",
"ukraine",
"magicweb",
"nato",
"solarwinds",
"snowyamber",
"halfrig",
"quarterrig",
"orion",
"team",
"ransomware",
"mimikatz",
"magicweb",
"hijack",
"cobalt strike",
"trojan",
"dropper",
"dukes",
"malware",
"ylarv",
"drop",
"msdos",
"stub",
"rareencoding",
"memory pattern",
"communication",
"urls http",
"hashes",
"client execut",
"modify registry",
"preos boot",
"technir process",
"artifacts v",
"v help",
"rootkit",
"os credential",
"response",
"nxdomain",
"name n",
"dumping",
"sigma",
"use short",
"name path",
"creates",
"query firmware",
"verdict",
"report",
"malicious",
"defense evasion",
"network info",
"process",
"system",
"hostname"
],
"references": [
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Norway",
"Ukraine",
"Poland"
],
"malware_families": [
{
"id": "Xored",
"display_name": "Xored",
"target": null
},
{
"id": "Trojan.Dukes/Xmldrp",
"display_name": "Trojan.Dukes/Xmldrp",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 23,
"URL": 34,
"hostname": 97,
"FileHash-MD5": 32,
"FileHash-SHA1": 29,
"FileHash-SHA256": 138,
"CVE": 4,
"IPv4": 24
},
"indicator_count": 381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "2 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db609269c77812f937026e",
"name": "CAPE Sandbox ----- emulex fc 2.72.011.002-3",
"description": "emulex fc 2.72.011.002-3, Malware Behavior Catalog Tree\nAnti-Behavioral Analysis\nOB0001\nVirtual Machine Detection\nB0009\nSoftware Packing\nF0001\nAnti-Static Analysis\nOB0002\nSoftware Packing\nF0001\nDefense Evasion\nOB0006\nSoftware Packing\nF0001\nDiscovery\nOB0007\nFile and Directory Discovery\nE1083\nExecution\nOB0009\nCommand and Scripting Interpreter\nE1059\nFile System\nOC0001\nDelete File\nC0047\nGet File Attributes\nC0049\nSet File Attributes\nC0050\nRead File\nC0051\nWrites File\nC0052\nProcess\nOC0003\nTerminate Process\nC0018\nCommunication\nOC0006\nHTTP Communication\nC0002\n\nWho are you protecting? Look at your root certificate map to 2018-19. Im not mad, I am just disappointed in the lack of cyber security awareness and cryptographic failures. If I see one more unsigned DNSSEC. Edge node completely exposed. Maybe let CISA and the NSA handle things since they are competent. unknown agency- #burnedyourowncountry.\nPalo Alto, level blue, falcon sandbox, cape, yomi, sec, arc- you are heroes for picking up malware that evades everything.",
"modified": "2026-04-15T19:46:25.951000",
"created": "2026-04-12T09:06:26.754000",
"tags": [
"hbanyware",
"hbas",
"true",
"reportlocation",
"programfiles",
"command line",
"enable silent",
"mode",
"full",
"local only",
"false",
"path",
"example",
"windows sandbox",
"clear filters",
"show",
"fibre channel",
"emulex fibre",
"emulex network",
"fibre chann",
"host b",
"network",
"emulex",
"network cards",
"find",
"UNITED STATES SENT.",
"Still love USA.",
"bankers doc",
"ESign Violation",
"cyber warfare",
"Fraud",
"pdfkit.net",
"CIVIL rights violation",
"geofence",
"whistleblower",
"adobe exploited from unsafe practices",
"certificate abuse",
"wiper",
"Docusign exploited from unsafe practices",
"abuse",
"modification of the record",
"date changes",
"deleting evidence",
"wateringholeleftwideopen#RiskManagementKnowledgeDeficient",
"firmware neutral",
"fraud",
"espionage",
"Iloveyou.txt",
"APTnull.",
"PlutoniumoftheInternet",
"apiabuse",
"Put Zen at risk",
"Microsoft exploited from misuse of power and secure protocols",
"Spyonyourinternalframework.",
"fsquirt.[exe]",
"bluetooth tampering",
"wormhole",
"backdoor",
"GITlikeMITbutSouth",
"pool",
"CloseDoorsProper",
"spellbound.[exe]",
"Wizard",
"GUI of Bluetooth File Transfer Wizard",
">",
"modified": "2026-04-14T04:52:47.333000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:36.465000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 10,
"IPv4": 58,
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:32.943000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dbb65f599a553b7d8b7cfe",
"name": "CAPE Sandbox - Civil Rights Violations I Human Rights I Suppression of those in need.",
"description": "\"Unknown\".",
"modified": "2026-04-12T15:57:23.397000",
"created": "2026-04-12T15:12:31.788000",
"tags": [
"thread",
"javathread",
"exception",
"environment",
"java",
"image fetcher",
"ebx0x4869e3c4",
"ecx0x007c5000",
"ebp0x4869e3ac",
"esi0x4869e414",
"stack",
"windows sandbox",
"calls process",
"file type",
"ms windows",
"pe32",
"intel",
"pe file",
"found",
"drops pe",
"ascii",
"ascii text",
"code",
"persistence",
"next"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006515&Signature=kC4Q9ajm2R%2Fx53YEL6clvinR3%2F3rEZvU5gUV%2FQNb4Hwjt189HpcQyYd%2Bg5wiI4JI9vzXsg5DCnfkbQnYC8mAFugxueqQujtRtCJlLEle%2FDvLPAjAAE1zvFWEJa%2FNWn22vzfb2kSUc3sZATDaJJ7qzCjHnPj5b%2FXZcsVdz8ffP%2BzzzWeCM16aljBDeuaqzhAoyqL%2BiU9nhZgotJ8wgRiuSaPxk2TnljMh3ytdEw8ekyHV",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006631&Signature=i1UBMv0C3L3d7z35O6OKU0KrZKXISlpDDZrJ2g2SLJ70HDiyQt7ELalpehTsx%2FTUk8pg4M%2BKsZZUS%2FxXUwsl88tznktFiJS6L8soYz%2BbUnSYDneW9%2FMugMaVx2s2IWec15RcS7i3JY2IDdgcNzrGEnRqqd3BJWV8mkIRCQrtS1d2%2FqW4VjdZ7gOZKAUNQFBEC002l4wmqDbQTq%2FtS5eNsFpXe1TEiGrctaa5QJcvm%",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006701&Signature=YjF%2Fy4vmVzw2Nqyd9W3hbfPL2aEPZbKUOajAyV1uEq14FZrLVyJ2VdPgaP63PsvKuEquUw%2FYs4Cq4clfGDB6Psj7my4aBKDzchxzKt%2FRLju%2BZ9tqqbL5Hq1tkkbfY91t2GPkaU7fX9pAkHVLeUvndfLoG7S60MUcGbOOH0F42wlR2%2BuS2vI5og5RV%2Fm%2FTZ%2BkVjZqKH%2F3suCNtPjSHRFH9mzo923zwnzUeS%2Fku5eZD3nr%2BfgF",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007306&Signature=Ho%2FmCYQV4%2BaUXwyVV9EcgNwJDfHmiCjCqJbz3N%2BwlkcD40B7Rd3ycZRZBZX51i%2FDcl%2FlY1Be1t%2Bd7Z1ytx5PFmaNc5G4hMjnrbZCJCGuMlyiXOmdMqzKum3hVc4WH68dv8kX8Ttz3E6gN%2FXSk95b2ap5ev%2BvXIv9%2BDdK%2ByGC0fUv9g%2BG4PVBuzlCM74Pe8u8MSP%2BQQSkkS7x0s6cK03nhvJ2BZa%2BOo8Bhipa",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007403&Signature=APi3vT1EtU5iYbrNTbVcI07N1wq5DpKROmaZZ7pLG3zwPiO1%2BWKcW1FZW%2BA79%2Fx38mnlwDA%2FRcYE5smasAt%2BPpYDIFKaVIi8RCDkzvXJR3tMy30GV%2FXakj%2BSaJnb0puPdOw4l87ohhDU9jf%2BSiloJD0daXTiNWfm%2BGtNt8l34Bj76KOtvHAXgR6784Qg6jArynpfGBCMDM%2BvDxNcjaKJa%2BKj3FpOrhdVQAHX0oR",
"https://vtcuckoo.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007491&Signature=C8TMJqhS%2FgoHhBBerFti1D2nDZ1RyJGhtJzLZqo2wh1eL82HC3CCxenuVK1umamrAEwtWdKgen5rrLWs5JyhVIHVGze5ItsDI9qw3lJLXF6WwYM%2BBbXgt3WcXielTAI4YsIk%2BBQI4IRQsVNM3GlE0w92diOXHW4Wh5H9CvSwHliMFzCQrzrMzaoa%2B08LPjQdEE%2ByyB7tbtCKZ88IPD6%2BxyAVGS9DMEOnIvH%2BA9Ij4uHieKWvU3EZUgwWe89eFZu4LwCtOWz",
"https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007773&Signature=n5TgOfD3mktQxb8gJiJMkcdUVdQ4g7H%2BXUFYi3IxT9S%2FBngzNXXlPEMI%2Bl6tVL0831y6z2Y5zbnZGpGeLEd122KaERIL3OYZeSEspcGuCfJDSXamqkXoStA%2FXyjIFZQco8xbInSZebliJvh6XBjbtvGG7y2RuRzorR3tW3gmUS7mcwx5gkEG1ChjjS6XbMLOEiyyVZMkw6MfNaQ%2FKeTYUeMXicDfLsx9VShaDstt0aIQhq",
"https://vtbehaviour.commondatastorage.googleapis.com/5d2a98dafcbdf7593ee07d102507ef4b21bf68ddd6e1cbf77f06fd7f58d7185b_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007848&Signature=VuTrM0RQZ9WiJ6LCxUPm3uvvypfOCy9Wct7UdjbtL%2FbnJ1dRuPIdOMHELRxVwTLRbN17FZ69qfgyvLlUhury2lVO5o5mFt2mm9BMxVe48XRFsuwz9vLdsQId%2FLvXNexCXY4oYgFVgSp4o75PxcdpnS49Ex9qQiUv9pdqKQGW3W1cJTqjcKlTznh0tUI%2Bj8m7tFdT3lDoX%2B1wLNfhCSJFNttX0ny8NVIEkXqasqz1zLL7uysve7I533dEo",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008104&Signature=drvELIhluwlnbhi0jchNMK%2BVDDOLOC7mAm7Pry%2BdAZm90YKClGOKKIJpcXa4cyTjPZh3VYOoifdcQtCETfAip1eaTc6jQF61kEH9%2FFCJ%2FDOhAufnwV0pURRY%2BvL5sdTNPbqll06HFqzG3vUap3CjPyoDdFPKRFQvC1UZKPMffPQeUKL88X7uBE0DCT17cCzXzDn4d1a63wLFDuck%2Bd6JH7OA1Q5tstpiL4ZJ3k4YI6GX",
"https://vtbehaviour.commondatastorage.googleapis.com/ba5366936b00980d7af18523a2881e030bc95dbb278aea21bcfd041f33da3176_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008246&Signature=mH4md%2F1Q%2FmEV1iU2OduUd0ylEwA0KoS4R0FSApUL%2FubjjuVncqxJWmBF4MdXYNfrdzjB%2FVIbSFvewZp%2Fc0b3VcARsLYOUlRHgIlXKdcitM03C0%2BEPqdv4qwalFCJyc4%2FCgB5DhyrOlUXyxdkcxkjxWarNuJOICk%2FataVyfcQyONRN97GnMkrR2%2BTvv8XfNrPyV2yunP4MdE8RP2xPJPxOWO1%2F8JPgMHHwZToBpWT1DcJAjLxa%",
"https://vtbehaviour.commondatastorage.googleapis.com/78b28e036975c623615fc78041391a521854ddc8bce63a4b6a99ca423f285f8e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776009546&Signature=lM5FKrkq%2FoqgThG3Rn2Gmd1bQT0VhTjIE0fM8qSJpWsHSGWk2QFB1tj768pVuQGtOswleAQ0CqStQn9GwlxjWtr1cDCQc80AHsPdMa9aBHU7K4qmOgTq56LqU7GHy9FR3Onp0S8KFsdiQ4LjrINZ1EkG0LG66CdKQYYLjqxakq1BlWnPLibjNYm4j68l7m6oBJC0Iy46BdDzSQW8sGez%2Fa1l89aVvTEpVvoAwVqlYPXCXqNsHNX7It3EQl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 125,
"FileHash-MD5": 329,
"FileHash-SHA1": 88,
"FileHash-SHA256": 661,
"URL": 277,
"domain": 99,
"hostname": 248,
"email": 1
},
"indicator_count": 1828,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d366448691fa5dc09cc8ad",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:54:40.511000",
"created": "2026-04-06T07:52:35.998000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1,
"CVE": 1
},
"indicator_count": 1394,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d36643aecd94c5482eaac1",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:52:35.647000",
"created": "2026-04-06T07:52:35.647000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1
},
"indicator_count": 1393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d366420a9e0656d003c295",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:52:34.721000",
"created": "2026-04-06T07:52:34.721000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1
},
"indicator_count": 1393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d214c82964f598d31d166c",
"name": "Habo Analysis System",
"description": "",
"modified": "2026-04-05T08:44:43.360000",
"created": "2026-04-05T07:52:40.107000",
"tags": [
"get http",
"engb",
"dns resolutions",
"ip traffic",
"guid",
"blob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 531,
"FileHash-MD5": 50,
"FileHash-SHA1": 32,
"FileHash-SHA256": 2200,
"URL": 1193,
"domain": 483,
"IPv4": 395
},
"indicator_count": 4884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d214c68bab9c38fe4b3e2e",
"name": "Habo Analysis System",
"description": "",
"modified": "2026-04-05T08:43:44.054000",
"created": "2026-04-05T07:52:38.261000",
"tags": [
"get http",
"engb",
"dns resolutions",
"ip traffic",
"guid",
"blob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 532,
"FileHash-MD5": 50,
"FileHash-SHA1": 32,
"FileHash-SHA256": 2196,
"URL": 1193,
"domain": 485,
"IPv4": 395
},
"indicator_count": 4883,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d214c3864a70e3a6eb45ed",
"name": "Habo Analysis System",
"description": "",
"modified": "2026-04-05T08:43:43.490000",
"created": "2026-04-05T07:52:35.966000",
"tags": [
"get http",
"engb",
"dns resolutions",
"ip traffic",
"guid",
"blob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 531,
"FileHash-MD5": 50,
"FileHash-SHA1": 32,
"FileHash-SHA256": 2196,
"URL": 1193,
"domain": 484,
"IPv4": 395
},
"indicator_count": 4881,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d214c2864a70e3a6eb45ec",
"name": "Habo Analysis System",
"description": "",
"modified": "2026-04-05T08:35:04.061000",
"created": "2026-04-05T07:52:34.332000",
"tags": [
"get http",
"engb",
"dns resolutions",
"ip traffic",
"guid",
"blob"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 534,
"FileHash-MD5": 56,
"FileHash-SHA1": 35,
"FileHash-SHA256": 2199,
"URL": 1246,
"domain": 490,
"IPv4": 395
},
"indicator_count": 4955,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1f8041acb7d71607578f3",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-05T06:02:06.057000",
"created": "2026-04-05T05:49:56.708000",
"tags": [
"verisign",
"verisign class",
"display driver",
"verisign trust",
"network o",
"pulses",
"code signing",
"mon feb",
"public primary",
"digital id",
"class",
"win32 exe",
"pe32",
"ms windows",
"icons library",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"status",
"issuer verisign",
"ca valid",
"from",
"valid",
"valid usage",
"algorithm",
"thumbprint",
"ca status",
"g5 valid",
"verisign status",
"valid issuer",
"client auth",
"hash",
"cf b8",
"b7 b4",
"a8 f0",
"ab c5",
"bb f6",
"f7 a3",
"name verisign",
"g5 issuer",
"microsoft code",
"valid from",
"thumbprint md5",
"serial number",
"ec f2",
"init",
"copyright",
"product monitor",
"original name",
"file version",
"word document",
"file v2",
"document",
"outlook",
"settings",
"generic ole2",
"multistream",
"compound",
"time stamping",
"signer",
"g4 issuer",
"symantec time",
"stamping",
"g2 valid",
"open xml",
"zip archive",
"word microsoft",
"office open",
"xml format",
"open packaging",
"cf f4",
"c8 fe",
"digicert sha2",
"assured id"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 71,
"FileHash-SHA1": 54,
"FileHash-SHA256": 1900,
"URL": 684,
"IPv4": 135,
"hostname": 657,
"domain": 387
},
"indicator_count": 3888,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1f8066431fee3647fa5ff",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-05T05:53:01.644000",
"created": "2026-04-05T05:49:58.156000",
"tags": [
"verisign",
"verisign class",
"display driver",
"verisign trust",
"network o",
"pulses",
"code signing",
"mon feb",
"public primary",
"digital id",
"class",
"win32 exe",
"pe32",
"ms windows",
"icons library",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"status",
"issuer verisign",
"ca valid",
"from",
"valid",
"valid usage",
"algorithm",
"thumbprint",
"ca status",
"g5 valid",
"verisign status",
"valid issuer",
"client auth",
"hash",
"cf b8",
"b7 b4",
"a8 f0",
"ab c5",
"bb f6",
"f7 a3",
"name verisign",
"g5 issuer",
"microsoft code",
"valid from",
"thumbprint md5",
"serial number",
"ec f2",
"init",
"copyright",
"product monitor",
"original name",
"file version",
"word document",
"file v2",
"document",
"outlook",
"settings",
"generic ole2",
"multistream",
"compound",
"time stamping",
"signer",
"g4 issuer",
"symantec time",
"stamping",
"g2 valid",
"open xml",
"zip archive",
"word microsoft",
"office open",
"xml format",
"open packaging",
"cf f4",
"c8 fe",
"digicert sha2",
"assured id"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 71,
"FileHash-SHA1": 54,
"FileHash-SHA256": 1900,
"URL": 684,
"IPv4": 135,
"hostname": 657,
"domain": 387,
"CVE": 6
},
"indicator_count": 3894,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "15 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0f3013ab8f8fb20d6f6cc",
"name": "VirusTotal report\n for report.eml",
"description": "A security alert for the Verizon Hanover cell phone store in Massachusetts has been triggered by a \"pulses\" created on the site by its owner, the company's parent company, Verizon.><<>>> abuse of power",
"modified": "2026-04-04T09:52:33.171000",
"created": "2026-04-04T09:50:01.067000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1,
"YARA": 1,
"CVE": 1
},
"indicator_count": 1956,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0dec7d1e663f23697fcd5",
"name": "VirusTotal report\n for report.eml",
"description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power",
"modified": "2026-04-04T09:49:59.346000",
"created": "2026-04-04T09:49:59.346000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1
},
"indicator_count": 1954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0dec535ae0f94d37ccefb",
"name": "VirusTotal report\n for report.eml",
"description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power",
"modified": "2026-04-04T09:49:57.171000",
"created": "2026-04-04T09:49:57.171000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1
},
"indicator_count": 1954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0dec2efedd87c3a05cc10",
"name": "VirusTotal report\n for report.eml",
"description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power",
"modified": "2026-04-04T09:49:54.810000",
"created": "2026-04-04T09:49:54.810000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1
},
"indicator_count": 1954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0dec10ab26722b8dbd382",
"name": "VirusTotal report\n for report.eml",
"description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power",
"modified": "2026-04-04T09:49:52.991000",
"created": "2026-04-04T09:49:52.991000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1
},
"indicator_count": 1954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69c71685818640b7646eac77",
"name": "CAPE Sandbox",
"description": "",
"modified": "2026-03-27T23:45:09.818000",
"created": "2026-03-27T23:45:09.818000",
"tags": [
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"read files",
"nothing",
"ui read",
"depot"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774649417&Signature=zRMCsM3tuILNjSkMAd2chC2V6dbgP%2F59FyNKBtobqgAxPM5DjIIaAsAQcDVV44Gm%2BFk3lDW42de5CAOs%2Fqz%2FogCLlsPk2JlGadH9272VuoWyNceVBJeI2b8dRRbgHvMdN951FzGfLG4%2Fn5udM73Co83RJvwo70bLu59YsU8nCLTZJn6oM3Y04QtulXh8oG2zRbr09EeZfNNVTdxo7wrMSCJBrUd%2BvhRTNMZRaBYbDKn%2FDfjx"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 21,
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 278,
"URL": 60,
"hostname": 98,
"domain": 42
},
"indicator_count": 501,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69c71684183164d2c588dfa9",
"name": "CAPE Sandbox",
"description": "",
"modified": "2026-03-27T23:45:08.650000",
"created": "2026-03-27T23:45:08.650000",
"tags": [
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"read files",
"nothing",
"ui read",
"depot"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774649417&Signature=zRMCsM3tuILNjSkMAd2chC2V6dbgP%2F59FyNKBtobqgAxPM5DjIIaAsAQcDVV44Gm%2BFk3lDW42de5CAOs%2Fqz%2FogCLlsPk2JlGadH9272VuoWyNceVBJeI2b8dRRbgHvMdN951FzGfLG4%2Fn5udM73Co83RJvwo70bLu59YsU8nCLTZJn6oM3Y04QtulXh8oG2zRbr09EeZfNNVTdxo7wrMSCJBrUd%2BvhRTNMZRaBYbDKn%2FDfjx"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 21,
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 278,
"URL": 60,
"hostname": 98,
"domain": 42
},
"indicator_count": 501,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "23 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65b85faa9b8e3e1206d7f25c",
"name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection ",
"description": "",
"modified": "2024-06-15T04:39:29.943000",
"created": "2024-01-30T02:32:10.210000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659719b77c383c73c05208a9",
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3503,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28413,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 233,
"modified_text": "674 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6597f9c7542ffc6fffaecb30",
"name": "Injection (RunPE) |Win.Packer - https://myminiweb.com",
"description": "polypragmonic, dns, win.packer, ig hacking, network bind, tracking",
"modified": "2024-02-04T12:05:19.275000",
"created": "2024-01-05T12:44:55.030000",
"tags": [
"ciphersuite",
"delete c",
"search",
"entries",
"united",
"stcalifornia",
"lmenlo park",
"ometa platforms",
"odigicert inc",
"cndigicert sha2",
"copy",
"write",
"unknown",
"no expiration",
"expiration",
"filehashsha256",
"hostname",
"domain",
"ipv4",
"url http",
"url https",
"filehashmd5",
"filehashsha1",
"next",
"iocs",
"pdf report",
"pcap",
"scan endpoints",
"win64",
"stix",
"openioc",
"enter",
"ssl certificate",
"whois record",
"apple ios",
"communicating",
"referrer",
"contacted",
"resolutions",
"threat roundup",
"password",
"networks",
"hacktool",
"crypto",
"twitter",
"june",
"probe",
"ransomware",
"malware",
"tsara brashears",
"botnet campaign",
"january",
"content reputation",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2469,
"FileHash-SHA1": 2295,
"FileHash-SHA256": 4925,
"SSLCertFingerprint": 2,
"URL": 4484,
"domain": 2044,
"hostname": 2375,
"email": 18,
"CVE": 4
},
"indicator_count": 18616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6597fa4da16bd99cc5c02528",
"name": "Botnet Campaign",
"description": "",
"modified": "2024-02-04T12:05:19.275000",
"created": "2024-01-05T12:47:09.406000",
"tags": [
"ciphersuite",
"delete c",
"search",
"entries",
"united",
"stcalifornia",
"lmenlo park",
"ometa platforms",
"odigicert inc",
"cndigicert sha2",
"copy",
"write",
"unknown",
"no expiration",
"expiration",
"filehashsha256",
"hostname",
"domain",
"ipv4",
"url http",
"url https",
"filehashmd5",
"filehashsha1",
"next",
"iocs",
"pdf report",
"pcap",
"scan endpoints",
"win64",
"stix",
"openioc",
"enter",
"ssl certificate",
"whois record",
"apple ios",
"communicating",
"referrer",
"contacted",
"resolutions",
"threat roundup",
"password",
"networks",
"hacktool",
"crypto",
"twitter",
"june",
"probe",
"ransomware",
"malware",
"tsara brashears",
"botnet campaign",
"january",
"content reputation",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6597f9c7542ffc6fffaecb30",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2469,
"FileHash-SHA1": 2295,
"FileHash-SHA256": 4925,
"SSLCertFingerprint": 2,
"URL": 4484,
"domain": 2044,
"hostname": 2375,
"email": 18,
"CVE": 4
},
"indicator_count": 18616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6597fa4d4b5e060fb8a606a8",
"name": "Botnet Campaign",
"description": "",
"modified": "2024-02-04T12:05:19.275000",
"created": "2024-01-05T12:47:09.403000",
"tags": [
"ciphersuite",
"delete c",
"search",
"entries",
"united",
"stcalifornia",
"lmenlo park",
"ometa platforms",
"odigicert inc",
"cndigicert sha2",
"copy",
"write",
"unknown",
"no expiration",
"expiration",
"filehashsha256",
"hostname",
"domain",
"ipv4",
"url http",
"url https",
"filehashmd5",
"filehashsha1",
"next",
"iocs",
"pdf report",
"pcap",
"scan endpoints",
"win64",
"stix",
"openioc",
"enter",
"ssl certificate",
"whois record",
"apple ios",
"communicating",
"referrer",
"contacted",
"resolutions",
"threat roundup",
"password",
"networks",
"hacktool",
"crypto",
"twitter",
"june",
"probe",
"ransomware",
"malware",
"tsara brashears",
"botnet campaign",
"january",
"content reputation",
"et"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "6597f9c7542ffc6fffaecb30",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2469,
"FileHash-SHA1": 2295,
"FileHash-SHA256": 4925,
"SSLCertFingerprint": 2,
"URL": 4484,
"domain": 2044,
"hostname": 2375,
"email": 18,
"CVE": 4
},
"indicator_count": 18616,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "806 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65bc13594cf21dbe00b94807",
"name": "Tsara Brashears Dead campaign | ET | Emotet Botnet | Injection",
"description": "",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-02-01T21:55:37.581000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65b85faa9b8e3e1206d7f25c",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "807 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "659719b77c383c73c05208a9",
"name": "Content Reputation | ET | Botnet | Targeting",
"description": "http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-01-04T20:48:55.431000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 222,
"modified_text": "807 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "65a7e6e042a968005f7a5552",
"name": "Content Reputation | ET | Botnet | Targeting",
"description": "",
"modified": "2024-02-03T19:04:07.916000",
"created": "2024-01-17T14:40:32.084000",
"tags": [
"ioc search",
"new ioc",
"teams api",
"contact",
"threat analyzer",
"threat",
"paste",
"iocs",
"urls http",
"ssl certificate",
"whois record",
"historical ssl",
"whois whois",
"apple ios",
"contacted",
"tsara brashears",
"whois",
"resolutions",
"password",
"hacktool",
"crypto",
"execution",
"emotet",
"installer",
"banker",
"keylogger",
"critical",
"copy",
"content reputation",
"et",
"submission",
"comodo valkyrie",
"verdict",
"bitdefender",
"history first",
"analysis",
"utc http",
"response final",
"url http",
"search",
"entries",
"passive dns",
"urls",
"record value",
"unknown",
"united",
"gmt content",
"dynamic report",
"0 report",
"date",
"accept",
"name servers",
"scan endpoints",
"all octoseek",
"pulse pulses",
"http",
"ip address",
"related nids",
"files location",
"http response",
"final url",
"serving ip",
"address",
"ipv4",
"files",
"location china",
"asn as45090",
"dns resolutions",
"twitter",
"log id",
"gmtn",
"tls web",
"encrypt",
"ca issuers",
"f20b201c",
"b467295d",
"b2931e3f",
"false",
"as15169 google",
"domain",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"create c",
"write c",
"read c",
"medium",
"next",
"dock",
"write",
"persistence",
"delete c",
"path",
"xport",
"default",
"years ago",
"modified",
"created",
"email",
"active created",
"white",
"filehash",
"memcommit",
"tlsv1",
"show",
"win32",
"malware",
"get na",
"systemroot",
"starizona",
"lscottsdale",
"creation date",
"emails",
"domain name",
"showing",
"pulse submit",
"amazon",
"server ca",
"b535",
"tulach",
"hallrender",
"hallgrand",
"briansabey",
"brian sabey",
"mark",
"mark brian sabey",
"mark sabey",
"cybercrime",
"cyber stalking",
"botnet",
"evader",
"hacker",
"targeting"
],
"references": [
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"dvd-game-new-releases.info",
"1.116.217.151 [Cobalt Strike]",
"https://www.myminiweb.com/",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"http://alohatube.xyz/search/tsara-brashears",
"vtbehaviour.commondatastorage.googleapis.com",
"https://www.sweetheartvideo.com/tsara-brashears/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"https://tulach.cc/",
"ns3.hallgrandsale.ru"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Content Reputation",
"display_name": "Content Reputation",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Cobalt Strike",
"display_name": "Cobalt Strike",
"target": null
},
{
"id": "HallRender",
"display_name": "HallRender",
"target": null
},
{
"id": "HallGrand",
"display_name": "HallGrand",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056.001",
"name": "Keylogging",
"display_name": "T1056.001 - Keylogging"
},
{
"id": "TA0001",
"name": "Initial Access",
"display_name": "TA0001 - Initial Access"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0008",
"name": "Lateral Movement",
"display_name": "TA0008 - Lateral Movement"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0010",
"name": "Exfiltration",
"display_name": "TA0010 - Exfiltration"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "659719b77c383c73c05208a9",
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 13324,
"FileHash-MD5": 718,
"FileHash-SHA1": 617,
"FileHash-SHA256": 5761,
"domain": 3501,
"hostname": 4475,
"CVE": 1,
"email": 3,
"SSLCertFingerprint": 11
},
"indicator_count": 28411,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "807 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6585b18d61efd8798827c12a",
"name": "Potential Poodle Attack against a server | Injection | Threat Network",
"description": "",
"modified": "2024-01-21T15:01:52.390000",
"created": "2023-12-22T15:55:57.639000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"december",
"whois whois",
"historical ssl",
"referrer",
"problems",
"november",
"tsara brashears",
"startpage",
"core",
"hacktool",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"sample summary",
"as54113",
"united",
"xamzexpires300",
"unknown",
"a domains",
"passive dns",
"entries",
"github pages",
"request id",
"sea x",
"virtool",
"accept",
"cache",
"hit x",
"date hash",
"avast avg",
"files show",
"execution",
"contacted",
"threat analyzer",
"threat",
"paste",
"hostnames",
"urls http",
"noname057",
"generic malware",
"threat report",
"ip summary",
"url summary",
"summary",
"generic",
"inject",
"!#AddsCopyToStartup",
"SLF:Exploit:Win32/UACPathBypass.A",
"SSL excessive fatal alerts (possible POODLE attack against serve",
"injector",
"185.199.108.133",
"malware infection",
"link",
"name servers",
"date",
"title",
"urls",
"domain robot",
"for privacy",
"redacted for",
"expiration date",
"emotet",
"upx",
"msil",
"trojan",
"malware",
"apple",
"data collection",
"privilege escalation",
"evasive",
"show",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"copy",
"threat network",
"service modification",
"target",
"targeting an individual",
"cybercrime",
"fraud services",
"attack",
"africa",
"libel",
"password cracker",
"ios"
],
"references": [
"frostwire-5.3.9.windows.exe",
"185.199.108.133",
"cdn-185-199-108-133.github.com",
"AS : AS16509 Amazon.com, Inc",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"IP : 54.192.29.164",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"YARA Rules",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Matches rule UPX from ruleset UPX by kevoreilly",
"REFERENCE: https://goo.gl/hXbwiV",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"www.anyxxxtube.net",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"103.246.145.111 [malware]",
"x.ss2.us",
"nr-data.net [Apple Private Data Collection]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Magic",
"display_name": "Magic",
"target": null
},
{
"id": "Multios.Coinminer.Miner-6781728-2",
"display_name": "Multios.Coinminer.Miner-6781728-2",
"target": null
},
{
"id": "Win32/Ispen BADNEWS Fake User-Agent",
"display_name": "Win32/Ispen BADNEWS Fake User-Agent",
"target": null
},
{
"id": "Babulya/CollectorStealer User-Agent",
"display_name": "Babulya/CollectorStealer User-Agent",
"target": null
},
{
"id": "Win.Malware.Generic-9820446-0",
"display_name": "Win.Malware.Generic-9820446-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "VirTool:MSIL/Obfuscator.BV",
"display_name": "VirTool:MSIL/Obfuscator.BV",
"target": "/malware/VirTool:MSIL/Obfuscator.BV"
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"target": null
},
{
"id": "!#HSTR:Win32/Spectorsoft",
"display_name": "!#HSTR:Win32/Spectorsoft",
"target": "/malware/!#HSTR:Win32/Spectorsoft"
},
{
"id": "ALF:Base64EncodeFunctionMonitorW",
"display_name": "ALF:Base64EncodeFunctionMonitorW",
"target": null
},
{
"id": "185.199.108.133.Malware_Host",
"display_name": "185.199.108.133.Malware_Host",
"target": null
},
{
"id": "adware.opencandy",
"display_name": "adware.opencandy",
"target": null
},
{
"id": "Malvertizing",
"display_name": "Malvertizing",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1872,
"FileHash-SHA1": 1140,
"FileHash-SHA256": 2367,
"URL": 1969,
"domain": 327,
"hostname": 1025,
"email": 1
},
"indicator_count": 8701,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "820 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6585b183175afafb5e3bfff5",
"name": "Potential Poodle Attack against a server | Injection | Threat Network",
"description": "",
"modified": "2024-01-21T15:01:52.390000",
"created": "2023-12-22T15:55:47.977000",
"tags": [
"whois record",
"ssl certificate",
"threat roundup",
"december",
"whois whois",
"historical ssl",
"referrer",
"problems",
"november",
"tsara brashears",
"startpage",
"core",
"hacktool",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"no data",
"tag count",
"ioc search",
"new ioc",
"teams api",
"contact",
"search",
"iocs",
"sample summary",
"as54113",
"united",
"xamzexpires300",
"unknown",
"a domains",
"passive dns",
"entries",
"github pages",
"request id",
"sea x",
"virtool",
"accept",
"cache",
"hit x",
"date hash",
"avast avg",
"files show",
"execution",
"contacted",
"threat analyzer",
"threat",
"paste",
"hostnames",
"urls http",
"noname057",
"generic malware",
"threat report",
"ip summary",
"url summary",
"summary",
"generic",
"inject",
"!#AddsCopyToStartup",
"SLF:Exploit:Win32/UACPathBypass.A",
"SSL excessive fatal alerts (possible POODLE attack against serve",
"injector",
"185.199.108.133",
"malware infection",
"link",
"name servers",
"date",
"title",
"urls",
"domain robot",
"for privacy",
"redacted for",
"expiration date",
"emotet",
"upx",
"msil",
"trojan",
"malware",
"apple",
"data collection",
"privilege escalation",
"evasive",
"show",
"scan endpoints",
"all octoseek",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"copy",
"threat network",
"service modification",
"target",
"targeting an individual",
"cybercrime",
"fraud services",
"attack",
"africa",
"libel",
"password cracker",
"ios"
],
"references": [
"frostwire-5.3.9.windows.exe",
"185.199.108.133",
"cdn-185-199-108-133.github.com",
"AS : AS16509 Amazon.com, Inc",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"IP : 54.192.29.164",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"YARA Rules",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Matches rule UPX from ruleset UPX by kevoreilly",
"REFERENCE: https://goo.gl/hXbwiV",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"www.anyxxxtube.net",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"103.246.145.111 [malware]",
"x.ss2.us",
"nr-data.net [Apple Private Data Collection]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Generic",
"display_name": "Generic",
"target": null
},
{
"id": "HackTool",
"display_name": "HackTool",
"target": null
},
{
"id": "VirTool",
"display_name": "VirTool",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Magic",
"display_name": "Magic",
"target": null
},
{
"id": "Multios.Coinminer.Miner-6781728-2",
"display_name": "Multios.Coinminer.Miner-6781728-2",
"target": null
},
{
"id": "Win32/Ispen BADNEWS Fake User-Agent",
"display_name": "Win32/Ispen BADNEWS Fake User-Agent",
"target": null
},
{
"id": "Babulya/CollectorStealer User-Agent",
"display_name": "Babulya/CollectorStealer User-Agent",
"target": null
},
{
"id": "Win.Malware.Generic-9820446-0",
"display_name": "Win.Malware.Generic-9820446-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "VirTool:MSIL/Obfuscator.BV",
"display_name": "VirTool:MSIL/Obfuscator.BV",
"target": "/malware/VirTool:MSIL/Obfuscator.BV"
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"display_name": "ALF:HSTR:HackTool:ExtremeInjector.S01",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"display_name": "ALF:HeraklezEval:Trojan:Win32/AgentTesla!rfn",
"target": null
},
{
"id": "!#HSTR:Win32/Spectorsoft",
"display_name": "!#HSTR:Win32/Spectorsoft",
"target": "/malware/!#HSTR:Win32/Spectorsoft"
},
{
"id": "ALF:Base64EncodeFunctionMonitorW",
"display_name": "ALF:Base64EncodeFunctionMonitorW",
"target": null
},
{
"id": "185.199.108.133.Malware_Host",
"display_name": "185.199.108.133.Malware_Host",
"target": null
},
{
"id": "adware.opencandy",
"display_name": "adware.opencandy",
"target": null
},
{
"id": "Malvertizing",
"display_name": "Malvertizing",
"target": null
}
],
"attack_ids": [
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0006",
"name": "Credential Access",
"display_name": "TA0006 - Credential Access"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
},
{
"id": "TA0009",
"name": "Collection",
"display_name": "TA0009 - Collection"
},
{
"id": "TA0034",
"name": "Impact",
"display_name": "TA0034 - Impact"
},
{
"id": "TA0040",
"name": "Impact",
"display_name": "TA0040 - Impact"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 32,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1872,
"FileHash-SHA1": 1140,
"FileHash-SHA256": 2367,
"URL": 1969,
"domain": 327,
"hostname": 1025,
"email": 1
},
"indicator_count": 8701,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "820 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "658481716d9034bb0d52212d",
"name": "Apple Attack | Floxif Spyware | Threat Network | Virus Network",
"description": "Threat Network affecting and/or originating from Apple server. Malware attacks apple airpods, tv, apple store\napple trade, apple tv\napple watch, apple card, apple og?, apple server.\nSystemUpdate.dll issue. Device may partially attempt, device will show latest update, com[promised devices may have throttled update on attempt.\n\nFloxif:\nShort bio\nTrojan.Floxif is Malwarebytes\u2019 detection name for a file-changing Trojanthat targets Windows systems.\n\nSymptoms\nTrojan.Floxif can change legitimate files into infected files. Then the infected files act as a backdoor, giving the threat actor control over the machine.\n\nStaged data. Floxif primarily target Windows, Apple is less vulnerable to buy can be experience a Floxif attack.",
"modified": "2024-01-20T14:03:29.247000",
"created": "2023-12-21T18:18:25.746000",
"tags": [
"bitrep",
"learn",
"apple card",
"apple",
"apple store",
"apple tv",
"watch vision",
"airpods tv",
"apple watch",
"buy apple",
"apple trade",
"footer",
"media",
"find",
"cisco umbrella",
"site",
"safe site",
"alexa top",
"million",
"malicious site",
"hostname",
"hostnames",
"detection list",
"blacklist",
"malware",
"alexa",
"ip address",
"whois record",
"ssl certificate",
"iocs",
"whois whois",
"historical ssl",
"communicating",
"threat network",
"ioc search",
"new ioc",
"teams api",
"contact",
"attack",
"probe",
"search",
"threat",
"paste",
"contacted",
"april",
"threat roundup",
"pe resource",
"lcid1033",
"smlen",
"spn647",
"bv6fet56ww",
"february",
"core",
"name verdict",
"falcon sandbox",
"threat analyzer",
"samples",
"generic malware",
"tag count",
"malware generic",
"tue dec",
"threat report",
"summary",
"first",
"http response",
"final url",
"status code",
"body length",
"kb body",
"sha256",
"self",
"server apple",
"connection",
"html info",
"title apple",
"meta tags",
"indextab og",
"apple og",
"spyware",
"plugins",
"cab",
"fraud urls",
"data collection",
"staged data",
"privilege escalation",
"defense evasion",
"evasive",
"stealthy",
"serial number",
"symantec time",
"stamping",
"algorithm",
"thumbprint",
"from",
"symantec sha256",
"sha256 code",
"signing ca",
"class",
"vhash",
"authentihash",
"imphash",
"rich pe",
"ssdeep",
"file type",
"win32 dll",
"magic pe32",
"intel",
"ms windows",
"compiler",
"vs2008",
"rticon english",
"vs2005",
"chi2",
"contained",
"info compiler",
"products",
"header target",
"machine intel",
"utc entry",
"floxif",
"serving ip",
"address",
"headers nel",
"dynamic expires",
"gmt server",
"file sharing",
"personal data"
],
"references": [
"https://www.apple.com/qtactivex/qtplugin.cab",
"https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]",
"http://www.screensaver.com/ruxitbeacon",
"https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]",
"http://dns1.whitelist.camect.com [interesting]",
"https://www.jbits.courts.state.co [interesting]",
"http://www.sos.state.co/ [interesting]",
"https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary",
"https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary",
"Crowdsourced YARA Rulesets",
"Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems",
"Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security",
"Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth",
"https://www.malwarebytes.com/blog/detections/trojan-floxif",
"20.190.160.2 Microsoft [exploit_source]",
"20.190.160.67 Microsoft [exploit_source]",
"20.190.160.73 Microsoft [exploit_source]",
"watson.events.data.microsoft.com [traffic manager]",
"http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]",
"watson.telemetry.microsoft.us [Data traffic manager]",
"www.anyxxxtube.net [tracking]",
"https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Malware",
"display_name": "Malware",
"target": null
},
{
"id": "Tulach",
"display_name": "Tulach",
"target": null
},
{
"id": "Apple",
"display_name": "Apple",
"target": null
}
],
"attack_ids": [
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "TA0007",
"name": "Discovery",
"display_name": "TA0007 - Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 22,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 609,
"FileHash-SHA1": 361,
"FileHash-SHA256": 1977,
"domain": 460,
"hostname": 992,
"URL": 3115
},
"indicator_count": 7514,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "821 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel [Apple exploit]",
"https://vtbehaviour.commondatastorage.googleapis.com/78b28e036975c623615fc78041391a521854ddc8bce63a4b6a99ca423f285f8e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776009546&Signature=lM5FKrkq%2FoqgThG3Rn2Gmd1bQT0VhTjIE0fM8qSJpWsHSGWk2QFB1tj768pVuQGtOswleAQ0CqStQn9GwlxjWtr1cDCQc80AHsPdMa9aBHU7K4qmOgTq56LqU7GHy9FR3Onp0S8KFsdiQ4LjrINZ1EkG0LG66CdKQYYLjqxakq1BlWnPLibjNYm4j68l7m6oBJC0Iy46BdDzSQW8sGez%2Fa1l89aVvTEpVvoAwVqlYPXCXqNsHNX7It3EQl",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"20.190.160.73 Microsoft [exploit_source]",
"Quasi Government Case",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"https://www.virustotal.com/gui/file/b883f5fab23c459f41dee72e3f89fc19734fa2f505cb5bee192960f4a0f94062/summary",
"https://207-207-25-201.fwd.datafoundry.com/",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984872&Signature=X7ut04viSpboUfiHbVbGH602vbGaavKO28%2FuQZ9YCLjbW%2Bl9JHGrffH4HHtGQ39GPFGg3uUwyMpuOewArLSuI0W%2F0SjlRr%2B3ob5iUQ8eckXWI47mIElQtuCwRStAGCclC8lI%2BsnrEI7u%2FvPhk16ucrMhQtHiSehYuWwNi1lQkbG3Y5ZoDqClBlw1uSMm1jm1Gpu1EBVSIeAqmbV33HSK%2FDTrwzhuwObiyOu4RKE9E7MOmj%2",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007306&Signature=Ho%2FmCYQV4%2BaUXwyVV9EcgNwJDfHmiCjCqJbz3N%2BwlkcD40B7Rd3ycZRZBZX51i%2FDcl%2FlY1Be1t%2Bd7Z1ytx5PFmaNc5G4hMjnrbZCJCGuMlyiXOmdMqzKum3hVc4WH68dv8kX8Ttz3E6gN%2FXSk95b2ap5ev%2BvXIv9%2BDdK%2ByGC0fUv9g%2BG4PVBuzlCM74Pe8u8MSP%2BQQSkkS7x0s6cK03nhvJ2BZa%2BOo8Bhipa",
"103.246.145.111 [malware]",
"20.190.160.2 Microsoft [exploit_source]",
"watson.telemetry.microsoft.us [Data traffic manager]",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"louisianarooflawyers.com [phishing| songculture.com redirect , compromised by threat actors]",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/. [ phishing, driver, malvertizing, targeting]",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"Matches rule SUSP_XORed_MSDOS_Stub_Message from ruleset gen_xor_hunting by Florian Roth",
"https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
"YARA Rules",
"Victim silenced. Struck by Car Driven by male police let walk",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"phishing-campaign-cloudstation-eu-west-98.githubusercontent.com [phishing]",
"Denver Police Department Major Crimes closed investigation",
"https://www.malwarebytes.com/blog/detections/trojan-floxif",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"http://www.dvd-game-new-releases.info/skin/tsara-brashears-dead.akp",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/ [phishing]",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"https://otx.alienvault.com/indicator/hostname/ac-netstorage.apple.com [front facing withu4ever.com dating app/fraud service stores Apple data]",
"SRC URL : http://dl.frostwire.com/frostwire/5.3.9/frostwire-5.3.9.windows.exe",
"https://vtbehaviour.commondatastorage.googleapis.com/ba5366936b00980d7af18523a2881e030bc95dbb278aea21bcfd041f33da3176_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008246&Signature=mH4md%2F1Q%2FmEV1iU2OduUd0ylEwA0KoS4R0FSApUL%2FubjjuVncqxJWmBF4MdXYNfrdzjB%2FVIbSFvewZp%2Fc0b3VcARsLYOUlRHgIlXKdcitM03C0%2BEPqdv4qwalFCJyc4%2FCgB5DhyrOlUXyxdkcxkjxWarNuJOICk%2FataVyfcQyONRN97GnMkrR2%2BTvv8XfNrPyV2yunP4MdE8RP2xPJPxOWO1%2F8JPgMHHwZToBpWT1DcJAjLxa%",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"http://www.screensaver.com/ruxitbeacon",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007773&Signature=n5TgOfD3mktQxb8gJiJMkcdUVdQ4g7H%2BXUFYi3IxT9S%2FBngzNXXlPEMI%2Bl6tVL0831y6z2Y5zbnZGpGeLEd122KaERIL3OYZeSEspcGuCfJDSXamqkXoStA%2FXyjIFZQco8xbInSZebliJvh6XBjbtvGG7y2RuRzorR3tW3gmUS7mcwx5gkEG1ChjjS6XbMLOEiyyVZMkw6MfNaQ%2FKeTYUeMXicDfLsx9VShaDstt0aIQhq",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008104&Signature=drvELIhluwlnbhi0jchNMK%2BVDDOLOC7mAm7Pry%2BdAZm90YKClGOKKIJpcXa4cyTjPZh3VYOoifdcQtCETfAip1eaTc6jQF61kEH9%2FFCJ%2FDOhAufnwV0pURRY%2BvL5sdTNPbqll06HFqzG3vUap3CjPyoDdFPKRFQvC1UZKPMffPQeUKL88X7uBE0DCT17cCzXzDn4d1a63wLFDuck%2Bd6JH7OA1Q5tstpiL4ZJ3k4YI6GX",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"Melvin Sabey",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowledgement+PD-MB&utm_term= [Mobile transactional with ads/ malicious]",
"20.190.160.67 Microsoft [exploit_source]",
"Ronda Cordova",
"Christopher P \u2018Buzz\u2019 Ahmann",
"https://vtbehaviour.commondatastorage.googleapis.com/5d2a98dafcbdf7593ee07d102507ef4b21bf68ddd6e1cbf77f06fd7f58d7185b_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007848&Signature=VuTrM0RQZ9WiJ6LCxUPm3uvvypfOCy9Wct7UdjbtL%2FbnJ1dRuPIdOMHELRxVwTLRbN17FZ69qfgyvLlUhury2lVO5o5mFt2mm9BMxVe48XRFsuwz9vLdsQId%2FLvXNexCXY4oYgFVgSp4o75PxcdpnS49Ex9qQiUv9pdqKQGW3W1cJTqjcKlTznh0tUI%2Bj8m7tFdT3lDoX%2B1wLNfhCSJFNttX0ny8NVIEkXqasqz1zLL7uysve7I533dEo",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"REFERENCE: https://goo.gl/hXbwiV",
"www.anyxxxtube.net",
"https://tulach.cc/",
"Matches rule UPX from ruleset UPX by kevoreilly",
"x.ss2.us",
"https://shitting.takefile.link/4cgeojxano82/2375.Kty10122__scatting__Shit-Porn.net_.mp4.html [file sharing, personal network storage and backup]",
"https://otx.alienvault.com/indicator/ip/185.199.108.133",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"www.anyxxxtube.net [tracking]",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://www.jbits.courts.state.co [interesting]",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"Matches rule Malware_Floxif_mpsvc_dll from ruleset gen_floxif by Florian Roth (Nextron Systems",
"I bring up the personal nature of the crime because a delete service has been used",
"https://vtbehaviour.commondatastorage.googleapis.com/b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774649417&Signature=zRMCsM3tuILNjSkMAd2chC2V6dbgP%2F59FyNKBtobqgAxPM5DjIIaAsAQcDVV44Gm%2BFk3lDW42de5CAOs%2Fqz%2FogCLlsPk2JlGadH9272VuoWyNceVBJeI2b8dRRbgHvMdN951FzGfLG4%2Fn5udM73Co83RJvwo70bLu59YsU8nCLTZJn6oM3Y04QtulXh8oG2zRbr09EeZfNNVTdxo7wrMSCJBrUd%2BvhRTNMZRaBYbDKn%2FDfjx",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"http://www.sos.state.co/ [interesting]",
"http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637StackHash_2264/0_0_0_0/00000000/c0000005/63df0a5b.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=6FET56WW&MID=54046387-FC68-43CA-9068-077C0A157181. [stack hash]",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"https://otx.alienvault.com/indicator/url/https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian [ Walker | Apple Password Cracker]",
"https://www.sweetheartvideo.com/tsara-brashears/",
"watson.events.data.microsoft.com [traffic manager]",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"vtbehaviour.commondatastorage.googleapis.com",
"Malware Hosting: IPv4 185.199.108.133, 185.199.109.133, 185.199.110.133, 185.199.111.133",
"nr-data.net [Apple Private Data Collection]",
"https://www.myminiweb.com/",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984910&Signature=hjdKVB1Hclv%2FNw7qh%2FV50rCooI70BC8NJcq77KWRUu6VAlxs8vV%2FWfNLh9VzjKS2pBgR7wAaaDp6GwPof61nS4TwykWgUO%2FavR45JKGxhUsjhYKLE5VQoAZkh13wvx1nTVwH%2FP6fx71mJlF71bDqJe7pjpKdd3jyGRDGC6ksN3fMJ%2FRVnusGPDwzZXpy9F6CUYZ1tT9xuK7k3zz9xdIV5e0noQ9s7P343Ca7ROLOUhs9",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://www.virustotal.com/gui/url/2cb82dbaba5c1a7ea415992f28e2d35d06187a8cfc59691b43c1589e072b2c24/summary",
"frostwire-5.3.9.windows.exe",
"IP : 54.192.29.164",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"http://212.33.237.86/images/1/report.php",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"Matches rule Windows_API_Function from ruleset Windows_API_Function by InQuest Labs",
"https://rdweb.datafoundry.com/",
"Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs",
"Matches rule Windows_Virus_Floxif_493d1897 from ruleset Windows_Virus_Floxif by Elastic Security",
"More information: https://www.nextron-systems.com/notes-on-virustotal-matches/",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007403&Signature=APi3vT1EtU5iYbrNTbVcI07N1wq5DpKROmaZZ7pLG3zwPiO1%2BWKcW1FZW%2BA79%2Fx38mnlwDA%2FRcYE5smasAt%2BPpYDIFKaVIi8RCDkzvXJR3tMy30GV%2FXakj%2BSaJnb0puPdOw4l87ohhDU9jf%2BSiloJD0daXTiNWfm%2BGtNt8l34Bj76KOtvHAXgR6784Qg6jArynpfGBCMDM%2BvDxNcjaKJa%2BKj3FpOrhdVQAHX0oR",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3",
"https://www.datafoundry.com/category/news/press-releases/",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"cdn-185-199-108-133.github.com",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"www.pornhub.com [New Relic | nr-data.net | Apple Private Data Collection]",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"https://vtcuckoo.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007491&Signature=C8TMJqhS%2FgoHhBBerFti1D2nDZ1RyJGhtJzLZqo2wh1eL82HC3CCxenuVK1umamrAEwtWdKgen5rrLWs5JyhVIHVGze5ItsDI9qw3lJLXF6WwYM%2BBbXgt3WcXielTAI4YsIk%2BBQI4IRQsVNM3GlE0w92diOXHW4Wh5H9CvSwHliMFzCQrzrMzaoa%2B08LPjQdEE%2ByyB7tbtCKZ88IPD6%2BxyAVGS9DMEOnIvH%2BA9Ij4uHieKWvU3EZUgwWe89eFZu4LwCtOWz",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"https://www.hybrid-analysis.com/sample/f9fab0bda2e82393cdcbb235dd41b48e00552116101deb0215bc64032741dcad",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"Mark Brian Sabey",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006701&Signature=YjF%2Fy4vmVzw2Nqyd9W3hbfPL2aEPZbKUOajAyV1uEq14FZrLVyJ2VdPgaP63PsvKuEquUw%2FYs4Cq4clfGDB6Psj7my4aBKDzchxzKt%2FRLju%2BZ9tqqbL5Hq1tkkbfY91t2GPkaU7fX9pAkHVLeUvndfLoG7S60MUcGbOOH0F42wlR2%2BuS2vI5og5RV%2Fm%2FTZ%2BkVjZqKH%2F3suCNtPjSHRFH9mzo923zwnzUeS%2Fku5eZD3nr%2BfgF",
"https://www.apple.com/qtactivex/qtplugin.cab",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006515&Signature=kC4Q9ajm2R%2Fx53YEL6clvinR3%2F3rEZvU5gUV%2FQNb4Hwjt189HpcQyYd%2Bg5wiI4JI9vzXsg5DCnfkbQnYC8mAFugxueqQujtRtCJlLEle%2FDvLPAjAAE1zvFWEJa%2FNWn22vzfb2kSUc3sZATDaJJ7qzCjHnPj5b%2FXZcsVdz8ffP%2BzzzWeCM16aljBDeuaqzhAoyqL%2BiU9nhZgotJ8wgRiuSaPxk2TnljMh3ytdEw8ekyHV",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Crowdsourced YARA Rulesets",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006631&Signature=i1UBMv0C3L3d7z35O6OKU0KrZKXISlpDDZrJ2g2SLJ70HDiyQt7ELalpehTsx%2FTUk8pg4M%2BKsZZUS%2FxXUwsl88tznktFiJS6L8soYz%2BbUnSYDneW9%2FMugMaVx2s2IWec15RcS7i3JY2IDdgcNzrGEnRqqd3BJWV8mkIRCQrtS1d2%2FqW4VjdZ7gOZKAUNQFBEC002l4wmqDbQTq%2FtS5eNsFpXe1TEiGrctaa5QJcvm%",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"dvd-game-new-releases.info",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"1.116.217.151 [Cobalt Strike]",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"Some may may find this content is very disturbing and offensive",
"http://alohatube.xyz/search/tsara-brashears",
"http://watchhers.net/index.php",
"Reimer was a PT. Unknown whereabouts , name or job description",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/",
"RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_JS_Command",
"https://otx.alienvault.com/indicator/url/https://www.bleepingcomputer.com/forums/t/268006/wormmalware-that-kills-run-system-restore-regedit/ [ phishing attack directed towards Tsara Brashears]",
"http://dns1.whitelist.camect.com [interesting]",
"185.199.108.133",
"ns3.hallgrandsale.ru",
"Unknown Persons impersonating Private Investigators (plural)",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"AS : AS16509 Amazon.com, Inc",
"https://webmail.police.govmm.org/owa/",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Et",
"Win32/ispen badnews fake user-agent",
"Alf:hstr:hacktool:extremeinjector.s01",
"Worm:win32/autorun!atmn",
"Porn revenge",
"Babulya/collectorstealer user-agent",
"Content reputation",
"!#hstr:win32/spectorsoft",
"Multios.coinminer.miner-6781728-2",
"Magic",
"Win.malware.generic-9820446-0",
"Tulach",
"185.199.108.133.malware_host",
"Cobalt strike",
"Apple",
"Hallrender",
"Emotet",
"Virtool",
"Hacktool",
"Xored",
"Alf:heraklezeval:trojan:win32/agenttesla!rfn",
"Tons of malware",
"Alf:base64encodefunctionmonitorw",
"Malvertizing",
"Adware.opencandy",
"Win.trojan.emotet-9850453-0",
"Generic",
"Trojan.dukes/xmldrp",
"Hallgrand",
"Malware",
"Virtool:msil/obfuscator.bv"
],
"industries": []
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 38,
"pulses": [
{
"id": "69bf261cc4e399447d78776c",
"name": "Cyber Bully Attackers | Revenge Attacks | Remote attackers | Malware Packed |",
"description": "Several government entities, attorneys have sought porn revenge including physical violence, attempted crimes, malicious prosecution case , harassment when a female patient of man formerly known as Jeffrey Scott Reimer of Chester Springs, PA, violently, critically injured patient in a sexually charged assault [URL\thttp://foundry2-lbl.dvr.dn2.n-helix.com\t\t\t\nhttps://foundry2-lbl.dvr.dn2.n-helix.com\t\tfoundry2-lbl.dvr.dn2.n-helix.com\t\t\t\t\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\nhttp://datafoundry.com\t\t\t\nhttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\thttps://209-99-40-223.fwd.datafoundry.com\t\t\t\ndatafoundry.com",
"modified": "2026-04-20T19:05:08.688000",
"created": "2026-03-21T23:13:32.760000",
"tags": [
"sc data",
"data upload",
"please sub",
"include data",
"extraction",
"failed",
"sc pulse",
"idron anv",
"extr please",
"include review",
"exclude sugges",
"stop show",
"typ domain",
"united",
"virtool",
"name servers",
"cryp",
"emails",
"win32",
"ip address",
"worm",
"trojan",
"learn",
"suspicious",
"informative",
"ck id",
"name tactics",
"command",
"adversaries",
"spawns",
"ssl certificate",
"initial access",
"link initial",
"prefetch8",
"mitre att",
"ck matrix",
"flag",
"windows nt",
"win64",
"accept",
"encrypt",
"form",
"hybrid",
"bypass",
"general",
"path",
"iframe",
"click",
"strings",
"anchor https",
"anchor",
"liberal",
"sabey",
"liberal friends",
"meta",
"html internet",
"html document",
"unicode text",
"utf8 text",
"info initial",
"access ta0001",
"compromise",
"t1189 network",
"communication",
"get http",
"artifacts v",
"full reports",
"v get",
"help dns",
"resolutions",
"ip traffic",
"extr data",
"enter sc",
"extra data",
"referen",
"broth",
"passive dns",
"urls",
"http",
"hostname",
"files domain",
"files related",
"related tags",
"none google",
"safe browsing",
"inquest labs",
"lucas acha",
"code integrity",
"checks creation",
"otx logo",
"all hostname",
"files",
"domain",
"protect",
"date",
"title",
"exchange",
"se http",
"present jan",
"present feb",
"present dec",
"backdoor",
"certificate",
"all domain",
"alibaba cloud",
"hichina",
"porkbun llc",
"cloudflare",
"namecheap inc",
"namecheap",
"domains",
"dynadot llc",
"ascio",
"denmark",
"url https",
"filehashsha256",
"url http",
"dopple ai",
"snit",
"iocs",
"otx description",
"information",
"report spam",
"delete service",
"poem",
"hunter",
"malicious",
"porn revenge",
"brian sabeys",
"all report",
"spam delete",
"rl http",
"https",
"expiration http",
"spam brian",
"swipper",
"type indicator",
"role title",
"added active",
"related pulses",
"filehashmd5",
"filehashsha1",
"sha256",
"scan",
"learn more",
"indicators show",
"tbmvid",
"sourcelnms",
"zx1724209326040",
"xxx videos",
"xxxvideohd",
"adversary",
"packing",
"palantir.com",
"discovery",
"victim won case",
"doin it",
"palantirian abuse",
"apple",
"sabey data centers",
"insurance",
"quasi government",
"the brother sabey",
"reimer",
"law enforcement",
"vessel state",
"sabey porn",
"hall evans",
"christopher ahmann",
"defamation",
"google"
],
"references": [
"The Brothers Sabey \u2013 Conservatives with Liberal Friends \u2022 https://thebrotherssabey.com/",
"http://watchhers.net/index.php",
"http://212.33.237.86/images/1/report.php",
"https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
"https://webmail.police.govmm.org/owa/",
"https://pks.wroclaw.sa.gov.pl:1443/ \u2022 portal.bialystok.sa.gov.pl",
"https://tulach.cc/ phishing \u2022 45.32.112.220 scanning_host \u2022 45.76.79.215",
"Mark Brian Sabey",
"Melvin Sabey",
"Christopher P \u2018Buzz\u2019 Ahmann",
"Ronda Cordova",
"Unknown Persons impersonating Private Investigators (plural)",
"Quasi Government Case",
"Victim silenced. Struck by Car Driven by male police let walk",
"Denver Police let this attempted murder walk. Cited him as a ghost driver",
"Make driver stuck victim with large vehicle after PT unknowingly reported original assault Jeffrey Reiner to Dora",
"Sexual and Physical Assaulter - Jeffrey Scott Reimer",
"Reimer was a PT. Unknown whereabouts , name or job description",
"Denver Police Department Major Crimes closed investigation",
"Investigation closed when Brian Sabey initiated a malicious prosecution case against Victim",
"I bring up the personal nature of the crime because a delete service has been used",
"More than 1000 IoC\u2019s including pulses have been ILLEGALLY removed",
"All IoC\u2019s originate from sources named. There are some unknown attackers",
"This is a serious crime. I\u2019m certain God WILL pay them.",
"https://palantirwww.sweetheartvideo.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t3\t domain\tpalantir.io\t\t\tMar 21, 2026, 2:06:10 PM\t\t34\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/ \u2022 www.palantir.com",
"http://palantirwww.sweetheartvideo.com/ (weirdness)",
"http://foundry2-lbl.dvr.dn2.n-helix.com \u2022 https://foundry2-lbl.dvr.dn2.n-helix.com",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"foundry2-lbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t29\t URL\thttps://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t URL\thttp://datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t9\t URL\thttp://foundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t17\t URL\thttps://209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t27\t domain\tdatafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t40\t hostname\t209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/RDWeb/Pages/en-US/login.aspx",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.datafoundry.com/data-center-contamination-control/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2-lbl.dvr.dn2.n-helix.com/",
"https://207-207-25-201.fwd.datafoundry.com/",
"http://datafoundry.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://209-99-40-223.fwd.datafoundry.com \u2022 datafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com \u2022 beabetta.ifoundry.co.uk.s7b2.psmtp.com \u2022 foundry2sdbl.dvr.dn2.n-helix.com \u2022 fwd.datafoundry.com \u2022 207-207-25-154.fwd.datafoundry.com \u2022 207-207-25-156.fwd.datafoundry.com\t\t\t207-207-25-160.fwd.datafoundry.com \u2022 207-207-25-163.fwd.datafoundry.com \u2022\t207-207-25-164.fwd.datafoundry.com \u2022 207-207-25-165.fwd.datafoundry.com\t\t\tMar 21, 207-207-25-166.fwd",
"http://datafoundry.com \u2022 https://209-99-40-223.fwd.datafoundry.com\tdatafoundry.com \u2022 209-99-40-223.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t13\t hostname\tbeabetta.ifoundry.co.uk.s7b2.psmtp.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t12\t hostname\tfoundry2sdbl.dvr.dn2.n-helix.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t18\t hostname\tfwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t8\t hostname\t207-207-25-154.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:10 PM\t\t19\t hostname\t207-207-25-156.fwd.datafoundry.com\t\t\tMar 21, 2026, 2:06:1",
"https://rdweb.datafoundry.com/",
"https://www.palantir.io/docs/foundry/ontologies/test-changes-in-ontology/",
"http://foundry2sdbl.dvr.dn2.n-helix.com/",
"Updated | What\u2019s left after theft",
"207-207-25-167.fwd.datafoundry.com \u2022 207-207-25-168.fwd.datafoundry.com \u2022 207-207-25-169.fwd.datafoundry.com",
"207-207-25-170.fwd.datafoundry.com \u2022 207-207-25-171.fwd.datafoundry.com \u2022 207-207-25-201.fwd.datafoundry.com",
"https://www.datafoundry.com/category/news/press-releases/ (Fake Press) abuse",
"https://www.datafoundry.com/category/news/press-releases/",
"207-207-25-209.fwd.datafoundry.com \u2022\t207-207-25-212.fwd.datafoundry.com \u2022 207-207-25-213.fwd.datafoundry.com \u2022 209-99-64-53.fwd.datafoundry.com",
"209-99-69-91.fwd.datafoundry.com \u2022 dns1.datafoundry.com \u2022 dns2.datafoundry.com \u2022 rdweb.datafoundry.com",
"www.go.datafoundry.com \u2022 http://207-207-25-209.fwd.datafoundry.com",
"http://209-99-64-53.fwd.datafoundry.com \u2022 http://dns2.datafoundry.com \u2022 http://fwd.datafoundry.com",
"http://pdns1.datafoundry.com/ \u2022\thttp://rdweb.datafoundry.com \u2022 http://rdweb.datafoundry.com/",
"https://rdweb.datafoundry.com/ \u2022 http://www.datafoundry.com \u2022 https://207-207-25-163.fwd.datafoundry.com \u2022",
"https://207-207-25-209.fwd.datafoundry.com \u2022 https://209-99-40-224.fwd.datafoundry.com/",
"https://209-99-64-53.fwd.datafoundry.com \u2022 https://dns1.datafoundry.com \u2022 https://dns2.datafoundry.com \u2022 https://fwd.datafoundry.com",
"Some may may find this content is very disturbing and offensive"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Porn Revenge",
"display_name": "Porn Revenge",
"target": null
},
{
"id": "Tons of Malware",
"display_name": "Tons of Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1495",
"name": "Firmware Corruption",
"display_name": "T1495 - Firmware Corruption"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1586.001",
"name": "Social Media Accounts",
"display_name": "T1586.001 - Social Media Accounts"
},
{
"id": "T1593.001",
"name": "Social Media",
"display_name": "T1593.001 - Social Media"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"display_name": "T1190 - Exploit Public-Facing Application"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1059.002",
"name": "AppleScript",
"display_name": "T1059.002 - AppleScript"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1584",
"name": "Compromise Infrastructure",
"display_name": "T1584 - Compromise Infrastructure"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 6034,
"domain": 1422,
"IPv4": 397,
"FileHash-MD5": 274,
"FileHash-SHA1": 252,
"FileHash-SHA256": 3378,
"email": 11,
"hostname": 2753,
"CVE": 1,
"SSLCertFingerprint": 9,
"IPv6": 32
},
"indicator_count": 14563,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "37 seconds ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e30d748895cd7a5746fd20",
"name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research",
"description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"modified": "2026-04-18T04:49:56.011000",
"created": "2026-04-18T04:49:56.011000",
"tags": [
"injection",
"removal",
"manipulation",
"apt29",
"lab52",
"avertium",
"ukraine",
"magicweb",
"nato",
"solarwinds",
"snowyamber",
"halfrig",
"quarterrig",
"orion",
"team",
"ransomware",
"mimikatz",
"magicweb",
"hijack",
"cobalt strike",
"trojan",
"dropper",
"dukes",
"malware",
"ylarv",
"drop",
"msdos",
"stub",
"rareencoding",
"memory pattern",
"communication",
"urls http",
"hashes",
"client execut",
"modify registry",
"preos boot",
"technir process",
"artifacts v",
"v help",
"rootkit",
"os credential",
"response",
"nxdomain",
"name n",
"dumping",
"sigma",
"use short",
"name path",
"creates",
"query firmware",
"verdict",
"report",
"malicious",
"defense evasion",
"network info",
"process",
"system",
"hostname"
],
"references": [
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Norway",
"Ukraine",
"Poland"
],
"malware_families": [
{
"id": "Xored",
"display_name": "Xored",
"target": null
},
{
"id": "Trojan.Dukes/Xmldrp",
"display_name": "Trojan.Dukes/Xmldrp",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 23,
"URL": 34,
"hostname": 97,
"FileHash-MD5": 32,
"FileHash-SHA1": 29,
"FileHash-SHA256": 138,
"CVE": 4,
"IPv4": 24
},
"indicator_count": 381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "2 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db609269c77812f937026e",
"name": "CAPE Sandbox ----- emulex fc 2.72.011.002-3",
"description": "emulex fc 2.72.011.002-3, Malware Behavior Catalog Tree\nAnti-Behavioral Analysis\nOB0001\nVirtual Machine Detection\nB0009\nSoftware Packing\nF0001\nAnti-Static Analysis\nOB0002\nSoftware Packing\nF0001\nDefense Evasion\nOB0006\nSoftware Packing\nF0001\nDiscovery\nOB0007\nFile and Directory Discovery\nE1083\nExecution\nOB0009\nCommand and Scripting Interpreter\nE1059\nFile System\nOC0001\nDelete File\nC0047\nGet File Attributes\nC0049\nSet File Attributes\nC0050\nRead File\nC0051\nWrites File\nC0052\nProcess\nOC0003\nTerminate Process\nC0018\nCommunication\nOC0006\nHTTP Communication\nC0002\n\nWho are you protecting? Look at your root certificate map to 2018-19. Im not mad, I am just disappointed in the lack of cyber security awareness and cryptographic failures. If I see one more unsigned DNSSEC. Edge node completely exposed. Maybe let CISA and the NSA handle things since they are competent. unknown agency- #burnedyourowncountry.\nPalo Alto, level blue, falcon sandbox, cape, yomi, sec, arc- you are heroes for picking up malware that evades everything.",
"modified": "2026-04-15T19:46:25.951000",
"created": "2026-04-12T09:06:26.754000",
"tags": [
"hbanyware",
"hbas",
"true",
"reportlocation",
"programfiles",
"command line",
"enable silent",
"mode",
"full",
"local only",
"false",
"path",
"example",
"windows sandbox",
"clear filters",
"show",
"fibre channel",
"emulex fibre",
"emulex network",
"fibre chann",
"host b",
"network",
"emulex",
"network cards",
"find",
"UNITED STATES SENT.",
"Still love USA.",
"bankers doc",
"ESign Violation",
"cyber warfare",
"Fraud",
"pdfkit.net",
"CIVIL rights violation",
"geofence",
"whistleblower",
"adobe exploited from unsafe practices",
"certificate abuse",
"wiper",
"Docusign exploited from unsafe practices",
"abuse",
"modification of the record",
"date changes",
"deleting evidence",
"wateringholeleftwideopen#RiskManagementKnowledgeDeficient",
"firmware neutral",
"fraud",
"espionage",
"Iloveyou.txt",
"APTnull.",
"PlutoniumoftheInternet",
"apiabuse",
"Put Zen at risk",
"Microsoft exploited from misuse of power and secure protocols",
"Spyonyourinternalframework.",
"fsquirt.[exe]",
"bluetooth tampering",
"wormhole",
"backdoor",
"GITlikeMITbutSouth",
"pool",
"CloseDoorsProper",
"spellbound.[exe]",
"Wizard",
"GUI of Bluetooth File Transfer Wizard",
">",
"modified": "2026-04-14T04:52:47.333000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:36.465000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 10,
"IPv4": 58,
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:32.943000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dbb65f599a553b7d8b7cfe",
"name": "CAPE Sandbox - Civil Rights Violations I Human Rights I Suppression of those in need.",
"description": "\"Unknown\".",
"modified": "2026-04-12T15:57:23.397000",
"created": "2026-04-12T15:12:31.788000",
"tags": [
"thread",
"javathread",
"exception",
"environment",
"java",
"image fetcher",
"ebx0x4869e3c4",
"ecx0x007c5000",
"ebp0x4869e3ac",
"esi0x4869e414",
"stack",
"windows sandbox",
"calls process",
"file type",
"ms windows",
"pe32",
"intel",
"pe file",
"found",
"drops pe",
"ascii",
"ascii text",
"code",
"persistence",
"next"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006515&Signature=kC4Q9ajm2R%2Fx53YEL6clvinR3%2F3rEZvU5gUV%2FQNb4Hwjt189HpcQyYd%2Bg5wiI4JI9vzXsg5DCnfkbQnYC8mAFugxueqQujtRtCJlLEle%2FDvLPAjAAE1zvFWEJa%2FNWn22vzfb2kSUc3sZATDaJJ7qzCjHnPj5b%2FXZcsVdz8ffP%2BzzzWeCM16aljBDeuaqzhAoyqL%2BiU9nhZgotJ8wgRiuSaPxk2TnljMh3ytdEw8ekyHV",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006631&Signature=i1UBMv0C3L3d7z35O6OKU0KrZKXISlpDDZrJ2g2SLJ70HDiyQt7ELalpehTsx%2FTUk8pg4M%2BKsZZUS%2FxXUwsl88tznktFiJS6L8soYz%2BbUnSYDneW9%2FMugMaVx2s2IWec15RcS7i3JY2IDdgcNzrGEnRqqd3BJWV8mkIRCQrtS1d2%2FqW4VjdZ7gOZKAUNQFBEC002l4wmqDbQTq%2FtS5eNsFpXe1TEiGrctaa5QJcvm%",
"https://vtbehaviour.commondatastorage.googleapis.com/9c9e292627a4149c52e7fba5cb10ce7ccbc1c33848e2958263783e48135e3988_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776006701&Signature=YjF%2Fy4vmVzw2Nqyd9W3hbfPL2aEPZbKUOajAyV1uEq14FZrLVyJ2VdPgaP63PsvKuEquUw%2FYs4Cq4clfGDB6Psj7my4aBKDzchxzKt%2FRLju%2BZ9tqqbL5Hq1tkkbfY91t2GPkaU7fX9pAkHVLeUvndfLoG7S60MUcGbOOH0F42wlR2%2BuS2vI5og5RV%2Fm%2FTZ%2BkVjZqKH%2F3suCNtPjSHRFH9mzo923zwnzUeS%2Fku5eZD3nr%2BfgF",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007306&Signature=Ho%2FmCYQV4%2BaUXwyVV9EcgNwJDfHmiCjCqJbz3N%2BwlkcD40B7Rd3ycZRZBZX51i%2FDcl%2FlY1Be1t%2Bd7Z1ytx5PFmaNc5G4hMjnrbZCJCGuMlyiXOmdMqzKum3hVc4WH68dv8kX8Ttz3E6gN%2FXSk95b2ap5ev%2BvXIv9%2BDdK%2ByGC0fUv9g%2BG4PVBuzlCM74Pe8u8MSP%2BQQSkkS7x0s6cK03nhvJ2BZa%2BOo8Bhipa",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007403&Signature=APi3vT1EtU5iYbrNTbVcI07N1wq5DpKROmaZZ7pLG3zwPiO1%2BWKcW1FZW%2BA79%2Fx38mnlwDA%2FRcYE5smasAt%2BPpYDIFKaVIi8RCDkzvXJR3tMy30GV%2FXakj%2BSaJnb0puPdOw4l87ohhDU9jf%2BSiloJD0daXTiNWfm%2BGtNt8l34Bj76KOtvHAXgR6784Qg6jArynpfGBCMDM%2BvDxNcjaKJa%2BKj3FpOrhdVQAHX0oR",
"https://vtcuckoo.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007491&Signature=C8TMJqhS%2FgoHhBBerFti1D2nDZ1RyJGhtJzLZqo2wh1eL82HC3CCxenuVK1umamrAEwtWdKgen5rrLWs5JyhVIHVGze5ItsDI9qw3lJLXF6WwYM%2BBbXgt3WcXielTAI4YsIk%2BBQI4IRQsVNM3GlE0w92diOXHW4Wh5H9CvSwHliMFzCQrzrMzaoa%2B08LPjQdEE%2ByyB7tbtCKZ88IPD6%2BxyAVGS9DMEOnIvH%2BA9Ij4uHieKWvU3EZUgwWe89eFZu4LwCtOWz",
"https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007773&Signature=n5TgOfD3mktQxb8gJiJMkcdUVdQ4g7H%2BXUFYi3IxT9S%2FBngzNXXlPEMI%2Bl6tVL0831y6z2Y5zbnZGpGeLEd122KaERIL3OYZeSEspcGuCfJDSXamqkXoStA%2FXyjIFZQco8xbInSZebliJvh6XBjbtvGG7y2RuRzorR3tW3gmUS7mcwx5gkEG1ChjjS6XbMLOEiyyVZMkw6MfNaQ%2FKeTYUeMXicDfLsx9VShaDstt0aIQhq",
"https://vtbehaviour.commondatastorage.googleapis.com/5d2a98dafcbdf7593ee07d102507ef4b21bf68ddd6e1cbf77f06fd7f58d7185b_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776007848&Signature=VuTrM0RQZ9WiJ6LCxUPm3uvvypfOCy9Wct7UdjbtL%2FbnJ1dRuPIdOMHELRxVwTLRbN17FZ69qfgyvLlUhury2lVO5o5mFt2mm9BMxVe48XRFsuwz9vLdsQId%2FLvXNexCXY4oYgFVgSp4o75PxcdpnS49Ex9qQiUv9pdqKQGW3W1cJTqjcKlTznh0tUI%2Bj8m7tFdT3lDoX%2B1wLNfhCSJFNttX0ny8NVIEkXqasqz1zLL7uysve7I533dEo",
"https://vtbehaviour.commondatastorage.googleapis.com/176214ebc5416adc4cc1220d26937a6dfed02bf71dae594e4cf15dd93c0871e8_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008104&Signature=drvELIhluwlnbhi0jchNMK%2BVDDOLOC7mAm7Pry%2BdAZm90YKClGOKKIJpcXa4cyTjPZh3VYOoifdcQtCETfAip1eaTc6jQF61kEH9%2FFCJ%2FDOhAufnwV0pURRY%2BvL5sdTNPbqll06HFqzG3vUap3CjPyoDdFPKRFQvC1UZKPMffPQeUKL88X7uBE0DCT17cCzXzDn4d1a63wLFDuck%2Bd6JH7OA1Q5tstpiL4ZJ3k4YI6GX",
"https://vtbehaviour.commondatastorage.googleapis.com/ba5366936b00980d7af18523a2881e030bc95dbb278aea21bcfd041f33da3176_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776008246&Signature=mH4md%2F1Q%2FmEV1iU2OduUd0ylEwA0KoS4R0FSApUL%2FubjjuVncqxJWmBF4MdXYNfrdzjB%2FVIbSFvewZp%2Fc0b3VcARsLYOUlRHgIlXKdcitM03C0%2BEPqdv4qwalFCJyc4%2FCgB5DhyrOlUXyxdkcxkjxWarNuJOICk%2FataVyfcQyONRN97GnMkrR2%2BTvv8XfNrPyV2yunP4MdE8RP2xPJPxOWO1%2F8JPgMHHwZToBpWT1DcJAjLxa%",
"https://vtbehaviour.commondatastorage.googleapis.com/78b28e036975c623615fc78041391a521854ddc8bce63a4b6a99ca423f285f8e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776009546&Signature=lM5FKrkq%2FoqgThG3Rn2Gmd1bQT0VhTjIE0fM8qSJpWsHSGWk2QFB1tj768pVuQGtOswleAQ0CqStQn9GwlxjWtr1cDCQc80AHsPdMa9aBHU7K4qmOgTq56LqU7GHy9FR3Onp0S8KFsdiQ4LjrINZ1EkG0LG66CdKQYYLjqxakq1BlWnPLibjNYm4j68l7m6oBJC0Iy46BdDzSQW8sGez%2Fa1l89aVvTEpVvoAwVqlYPXCXqNsHNX7It3EQl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1202",
"name": "Indirect Command Execution",
"display_name": "T1202 - Indirect Command Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 125,
"FileHash-MD5": 329,
"FileHash-SHA1": 88,
"FileHash-SHA256": 661,
"URL": 277,
"domain": 99,
"hostname": 248,
"email": 1
},
"indicator_count": 1828,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "8 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "camect.com",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "camect.com",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776711948.7660198
}