{
"type": "Domain",
"indicator": "cloud.microsoft",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/cloud.microsoft",
"alexa": "http://www.alexa.com/siteinfo/cloud.microsoft",
"indicator": "cloud.microsoft",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3744336633,
"indicator": "cloud.microsoft",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-19T09:34:35.173000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2805,
"FileHash-SHA1": 2568,
"FileHash-SHA256": 7488,
"domain": 1883,
"hostname": 1466,
"URL": 1179,
"email": 46,
"CVE": 46,
"CIDR": 3,
"YARA": 7,
"IPv4": 94,
"JA3": 1
},
"indicator_count": 17586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d9675a25be662c17cd3a9c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-04-19T09:06:31.781000",
"created": "2026-04-10T21:10:50.646000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"No Problems"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 227,
"CVE": 4,
"URL": 368,
"domain": 110,
"IPv4": 34,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20,
"JA3": 1
},
"indicator_count": 869,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d967590f40c612c90ce84f",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-04-19T09:05:10.432000",
"created": "2026-04-10T21:10:49.749000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"APKmirror",
"ILOVEYOUBABY",
"No Problems",
"Christmas Tree EXEC Code Red worm Computer virus Nimda",
"Wanna Cry",
"APK",
"DC RAT",
"Emotnet",
"Redline Swiper",
"Open Door",
"Bankers Document",
"Y2K",
"wsscript.exe, VBE",
"Compliance Lock Trap",
"Globalsign 2020 (potentially exploited)",
"Heuristic Smear",
"Gatsby Library Loader DLL",
"w31999",
"UofA"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Micro - Dates to look for specific: April/May/June 2025",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Entrust to Sectigo- Review vendors",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Digi/Global Sign - audit 2020 digital intersect",
"Proton.me/Zenbox: Audit July 2025",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Y2K",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"France",
"Germany, Austria, and Switzerland GmbH",
"Gatsby Library Loader, DLL",
"Spellbinding! Indeed. SpellEditor.exe"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3516,
"hostname": 1614,
"CVE": 7,
"URL": 1806,
"domain": 1416,
"IPv4": 888,
"FileHash-MD5": 731,
"FileHash-SHA1": 787,
"CIDR": 6,
"email": 27,
"IPv6": 10,
"JA3": 2
},
"indicator_count": 10810,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf8219dabe3eb8bd65d4d2",
"name": "The Wizard",
"description": "search\n=gws-wiz-serp",
"modified": "2026-04-19T07:04:07.090000",
"created": "2026-03-22T05:46:01.123000",
"tags": [
"html internet",
"html document",
"language"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 285,
"FileHash-SHA1": 144,
"FileHash-SHA256": 255,
"URL": 184,
"hostname": 84,
"domain": 51,
"IPv4": 55,
"IPv6": 8,
"email": 2
},
"indicator_count": 1068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e30d748895cd7a5746fd20",
"name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research",
"description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"modified": "2026-04-18T04:49:56.011000",
"created": "2026-04-18T04:49:56.011000",
"tags": [
"injection",
"removal",
"manipulation",
"apt29",
"lab52",
"avertium",
"ukraine",
"magicweb",
"nato",
"solarwinds",
"snowyamber",
"halfrig",
"quarterrig",
"orion",
"team",
"ransomware",
"mimikatz",
"magicweb",
"hijack",
"cobalt strike",
"trojan",
"dropper",
"dukes",
"malware",
"ylarv",
"drop",
"msdos",
"stub",
"rareencoding",
"memory pattern",
"communication",
"urls http",
"hashes",
"client execut",
"modify registry",
"preos boot",
"technir process",
"artifacts v",
"v help",
"rootkit",
"os credential",
"response",
"nxdomain",
"name n",
"dumping",
"sigma",
"use short",
"name path",
"creates",
"query firmware",
"verdict",
"report",
"malicious",
"defense evasion",
"network info",
"process",
"system",
"hostname"
],
"references": [
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Norway",
"Ukraine",
"Poland"
],
"malware_families": [
{
"id": "Xored",
"display_name": "Xored",
"target": null
},
{
"id": "Trojan.Dukes/Xmldrp",
"display_name": "Trojan.Dukes/Xmldrp",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 23,
"URL": 34,
"hostname": 97,
"FileHash-MD5": 32,
"FileHash-SHA1": 29,
"FileHash-SHA256": 138,
"CVE": 4,
"IPv4": 24
},
"indicator_count": 381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "2 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f53e6b3e17deca1277b7",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:56.823000",
"created": "2026-04-17T08:54:22.034000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 98,
"URL": 562,
"hostname": 313,
"domain": 105,
"IPv6": 2,
"email": 2,
"YARA": 1
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f52e424e1151ddd9c696",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:55.719000",
"created": "2026-04-17T08:54:06.864000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 714,
"FileHash-MD5": 128,
"FileHash-SHA1": 152,
"IPv4": 98,
"URL": 692,
"hostname": 456,
"domain": 121,
"IPv6": 2,
"email": 2,
"YARA": 5
},
"indicator_count": 2370,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f540bec93625fc7c7466",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T01:05:57.196000",
"created": "2026-04-17T08:54:24.226000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 97,
"URL": 561,
"hostname": 316,
"domain": 105,
"IPv6": 2,
"email": 2
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f540aa36f336eb92ff53",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T00:53:20.700000",
"created": "2026-04-17T08:54:24.517000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 860,
"FileHash-MD5": 180,
"FileHash-SHA1": 224,
"IPv4": 97,
"URL": 639,
"hostname": 362,
"domain": 107,
"IPv6": 2,
"email": 2
},
"indicator_count": 2473,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b928087357d81fea765e5f",
"name": "VirusTotal report\n for index.html",
"description": "Research by msudosos stronly indicates the use of AI and did you know data to be used as a lure/hook in dropping malicious html/text files.",
"modified": "2026-04-16T10:12:08.619000",
"created": "2026-03-17T10:08:08.576000",
"tags": [
"performs dns",
"united",
"https",
"mitre attack",
"network info",
"processes extra",
"urls",
"t1055 process",
"layer protocol",
"overview",
"phishing",
"next"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4fa978df1c61592b3d336a76d8a324507c53e726ccf8fd6bfb219efbabc0fa1c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773742155&Signature=hmgsQvN6lvSJyMCNIRlWZtk97Xz8JirhWIy72PW5KMpXxyVdg3UanGZ9B%2Bp5n0vJ2KoDKxNkrHyxCWxJpF%2FHxCWQ0WRi05hwyk12d%2BOgtqEnCWKOR6LvEhM8Hxs0Q1dklaSxX%2BEOkqPKpQ5UWYdBds%2FLuiH66TsmSkpXhX9joyRDpwX6pqSNNruY%2Bf6favP5xtlRMjuIAdb2%2BhVa8WzfsDWh%2BTzjkaFxLKA4YP2tE8m35pH6BRG6wl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 68,
"URL": 38,
"hostname": 76,
"domain": 50
},
"indicator_count": 234,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b92808f92c6e1dc095478a",
"name": "VirusTotal report\n for index.html",
"description": "Research by msudosos stronly indicates the use of AI and did you know data to be used as a lure/hook in dropping malicious html/text files.",
"modified": "2026-04-16T10:12:08.619000",
"created": "2026-03-17T10:08:08.182000",
"tags": [
"performs dns",
"united",
"https",
"mitre attack",
"network info",
"processes extra",
"urls",
"t1055 process",
"layer protocol",
"overview",
"phishing",
"next"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/4fa978df1c61592b3d336a76d8a324507c53e726ccf8fd6bfb219efbabc0fa1c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773742155&Signature=hmgsQvN6lvSJyMCNIRlWZtk97Xz8JirhWIy72PW5KMpXxyVdg3UanGZ9B%2Bp5n0vJ2KoDKxNkrHyxCWxJpF%2FHxCWQ0WRi05hwyk12d%2BOgtqEnCWKOR6LvEhM8Hxs0Q1dklaSxX%2BEOkqPKpQ5UWYdBds%2FLuiH66TsmSkpXhX9joyRDpwX6pqSNNruY%2Bf6favP5xtlRMjuIAdb2%2BhVa8WzfsDWh%2BTzjkaFxLKA4YP2tE8m35pH6BRG6wl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 68,
"URL": 38,
"hostname": 76,
"domain": 50,
"CVE": 1
},
"indicator_count": 235,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5660177cfb2b911d0416",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-16T07:18:14.946000",
"created": "2026-04-14T14:59:44.158000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 118,
"domain": 361,
"IPv4": 41,
"hostname": 462,
"URL": 291,
"FileHash-SHA256": 968,
"FileHash-MD5": 83,
"CVE": 3
},
"indicator_count": 2327,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de565b32d80c2973c2fd77",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-16T07:18:13.574000",
"created": "2026-04-14T14:59:39.743000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 154,
"domain": 367,
"IPv4": 79,
"hostname": 474,
"URL": 293,
"FileHash-SHA256": 1010,
"FileHash-MD5": 119,
"CVE": 11
},
"indicator_count": 2507,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69fe42542016114edaeb",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T17:34:45.078000",
"created": "2026-04-14T16:23:26.071000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 47,
"URL": 114,
"hostname": 130,
"domain": 43
},
"indicator_count": 528,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de6531bfca82db8c335ebb",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-15T17:28:01.121000",
"created": "2026-04-14T16:02:57.171000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 66,
"FileHash-SHA1": 39,
"FileHash-SHA256": 323,
"IPv4": 121,
"URL": 126,
"hostname": 255,
"domain": 87
},
"indicator_count": 1017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de6532d8458a36f68ce083",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-15T17:27:59.656000",
"created": "2026-04-14T16:02:58.015000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 46,
"FileHash-SHA1": 23,
"FileHash-SHA256": 198,
"IPv4": 53,
"URL": 94,
"hostname": 107,
"domain": 79
},
"indicator_count": 600,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d63c6bc7ab66605f86",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T17:27:59.100000",
"created": "2026-04-14T16:22:46.502000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 43,
"URL": 110,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d5a54cff2f8c80ba0b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T17:27:58.724000",
"created": "2026-04-14T16:22:45.821000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 44,
"URL": 109,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d5c691473d692fac54",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T17:27:58.510000",
"created": "2026-04-14T16:22:45.160000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 43,
"URL": 109,
"hostname": 130,
"domain": 41
},
"indicator_count": 517,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de653101bee17699c7d1e8",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-15T17:27:57.795000",
"created": "2026-04-14T16:02:57.690000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 46,
"FileHash-SHA1": 23,
"FileHash-SHA256": 198,
"IPv4": 53,
"URL": 94,
"hostname": 107,
"domain": 79
},
"indicator_count": 600,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69e81ae5bd040f77c01f",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T17:16:23.246000",
"created": "2026-04-14T16:23:04.494000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 114,
"hostname": 130,
"domain": 43
},
"indicator_count": 527,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d60272ee6be0b6be75",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:43.593000",
"created": "2026-04-14T16:22:46.679000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 45,
"URL": 111,
"hostname": 130,
"domain": 42
},
"indicator_count": 522,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d6c23c1920ae49419b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:41.929000",
"created": "2026-04-14T16:22:46.723000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 114,
"hostname": 130,
"domain": 44
},
"indicator_count": 528,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ded8198b25581a09b90824",
"name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration",
"description": "",
"modified": "2026-04-15T00:13:13.981000",
"created": "2026-04-15T00:13:13.981000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69decb6dd1bd6da78fc72d0a",
"name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED",
"description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.",
"modified": "2026-04-14T23:19:09.495000",
"created": "2026-04-14T23:19:09.495000",
"tags": [
"united",
"aaaa",
"certificate",
"error",
"read c",
"rgba",
"unicode",
"memcommit",
"delete",
"dock",
"execution",
"command decode",
"suricata ipv4",
"suricata tcpv4",
"flag",
"localappdata",
"windir",
"openurl c",
"programfiles",
"suricata udpv4",
"win64",
"click",
"strings",
"anon",
"username",
"userprofile",
"mitre att",
"ck id",
"ck matrix",
"appdata",
"comspec",
"model",
"path",
"april",
"hybrid",
"general",
"learn",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"mtb apr",
"exploit",
"trojan",
"backdoor",
"please",
"x msedge",
"all ipv4",
"ransom",
"date hash",
"avast avg",
"win32orbus apr",
"dynamicloader",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"lidfileupd",
"localcfg",
"write",
"stream",
"push",
"mtb alerts",
"ee fc",
"ff d5",
"lredmond",
"malware",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"yara detections",
"av detections",
"ids detections",
"hostile",
"unknown",
"extraction",
"data upload",
"failed",
"include review",
"stop data",
"typ url",
"url data",
"typ no",
"th all",
"stop",
"port",
"destination",
"ds detections",
"tls sni",
"nrv2x",
"upxoepplace",
"alerts",
"contacted",
"markus",
"hostile alerts",
"less see",
"all ip",
"tulach",
"brian sabey",
"quasi",
"link",
"script urls",
"record value",
"script domains",
"fireeye",
"create c",
"as15169",
"next",
"all url",
"http",
"related pulses",
"related tags",
"google safe",
"code",
"y se",
"included review",
"io excluded",
"suggeste",
"ipv4",
"unknown ns",
"redacted admin",
"fax redacted",
"name redacted",
"phone redacted",
"code redacted",
"redacted tech",
"christopher ahmann",
"solarwinds like?"
],
"references": [
"asp.net \u2022 cdnsrc.asp.net",
"https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf",
"http://www.phonefactor.com/PfPaWs/ConfirmActivation",
"IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting",
"https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo",
"https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c",
"www.fireeye.com",
"danilovstyle.ru",
"ns4-04.azure-dns.info",
"ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info",
"www.fireeye.com .",
"https://hypic-anaivsis.com/sambrerb/a0p9veebo",
"Are these table SolarWinds attackers? Using same tacktics, good? Unsure.",
"Tulach\u2019s ASP.Net Open Source destruction"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB"
},
{
"id": "Win.Ransomware.Tofsee-10015002",
"display_name": "Win.Ransomware.Tofsee-10015002",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb I",
"display_name": "Trojan:Win32/Comisproc!gmb I",
"target": "/malware/Trojan:Win32/Comisproc!gmb I"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 88,
"FileHash-MD5": 211,
"FileHash-SHA1": 186,
"FileHash-SHA256": 1366,
"URL": 1848,
"domain": 418,
"email": 4,
"hostname": 622,
"SSLCertFingerprint": 21
},
"indicator_count": 4764,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5661aa69bc26fcc67ca5",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:46:10.139000",
"created": "2026-04-14T14:59:45.579000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 581,
"domain": 706,
"IPv4": 42,
"hostname": 577,
"URL": 386,
"FileHash-SHA256": 1620,
"FileHash-MD5": 537,
"CVE": 6
},
"indicator_count": 4455,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5661607a80dbfa9f35c8",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:05:34.538000",
"created": "2026-04-14T14:59:45.223000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 118,
"domain": 360,
"IPv4": 41,
"hostname": 462,
"URL": 290,
"FileHash-SHA256": 968,
"FileHash-MD5": 83,
"CVE": 3
},
"indicator_count": 2325,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d547f11081d44c4a06c3da",
"name": "Not Appreciated: Deleted Documents to Hide this Threat Graph.",
"description": "https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815\n\n64d940ed0cdcc62ff7ff0a00c57a486580309773dbf89b94a63339ce97c2792b",
"modified": "2026-04-13T23:18:04.459000",
"created": "2026-04-07T18:07:45.018000",
"tags": [
"attribute",
"report",
"object",
"event",
"tnull",
"pdfkit.net",
"adobe",
"dropped children",
"deleted documents",
"2018 Iran root",
"missing documents",
"threat graph",
"bankers document",
"cryptographically unsound",
"non secure workflow",
"ESIGN act violation",
"post signature modification timestamp"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 82,
"FileHash-MD5": 552,
"FileHash-SHA1": 475,
"FileHash-SHA256": 1340,
"domain": 161,
"hostname": 910,
"URL": 595,
"CVE": 1,
"email": 6
},
"indicator_count": 4122,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db05f833d3d6d2231fb201",
"name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti",
"description": "",
"modified": "2026-04-12T02:39:52.993000",
"created": "2026-04-12T02:39:52.993000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": "69dab27a0493e0e80a0f35cd",
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "8 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69dab27a0493e0e80a0f35cd",
"name": "SearchSuite \u2022 Healthcare Administration",
"description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.",
"modified": "2026-04-11T20:43:38.695000",
"created": "2026-04-11T20:43:38.695000",
"tags": [
"Win32/SearchSuite",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 installer",
"install system",
"compiler",
"NSIS",
"code signing",
"serial number",
"db d2",
"de d3",
"f3 e1",
"issuer thawte",
"primary root",
"ca valid",
"valid",
"valid usage",
"client auth",
"algorithm",
"rticon english",
"type type",
"chi2",
"ico rtgroupicon",
"english us",
"capa",
"c2 antianalysis",
"executable",
"sample appears",
"installer",
"installers well",
"results may",
"be misleading",
"or incomplete",
"analyze created",
"techniques",
"info modify",
"files",
"modify registry",
"directory permi",
"techniques none",
"info",
"scripting inte",
"shared modules",
"Bear Share",
"urls",
"ip address",
"asn as8075",
"united",
"flag united",
"name servers",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"dnssec",
"urlmailto",
"urlhttps",
"search",
"urlhttp",
"moved",
"title",
"encrypt",
"certificate",
"segoe ui",
"otx logo",
"url analysis",
"tokyo",
"msie",
"chrome",
"gmt content",
"all ipv4",
"zeppelin",
"trojandropper",
"cookie",
"backdoor",
"hash avast",
"avg clamav",
"msdefender feb",
"k oct",
"k may",
"mtb feb",
"mtb jan",
"k aug",
"windows nt",
"dynamicloader",
"unknown",
"medium",
"default",
"as16509",
"show",
"powershell",
"write",
"xserver",
"bearshar data",
"passive dns",
"pulse submit",
"port",
"destination",
"high",
"displayname",
"windows",
"win64",
"tofsee",
"stream",
"malware",
"push",
"next",
"asnone",
"germany as8560",
"russia as198610",
"strings",
"is__elf",
"systembc_linux_variant",
"khtml",
"gecko",
"acceptencoding",
"get na",
"macintosh",
"intel mac",
"accept",
"france as16276",
"yara detections",
"contacted",
"all filehash",
"sha256",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"tls sni",
"less see",
"all ip",
"Apple",
"xordata",
"United States"
],
"references": [
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"BearShare Install File Version 12.0.0.135802",
"Musiclab, LLC",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"africa.konnect.com",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"euw-serp-dev-testing19.duck.ai",
"account-apple.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Yara Detections: Tofsee",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"ids-apple.com \u2022 itunes.org",
"xn--cloud-4sa.com",
"http://cab.applemarketingtools.com",
"http://console.applemarketingtools.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Spain",
"France",
"United Kingdom of Great Britain and Northern Ireland",
"Netherlands",
"Japan",
"Switzerland",
"Madagascar",
"Finland",
"Germany",
"Russian Federation"
],
"malware_families": [
{
"id": "Win32/SearchSuite",
"display_name": "Win32/SearchSuite",
"target": null
},
{
"id": "Win32.Application.BearShare.A",
"display_name": "Win32.Application.BearShare.A",
"target": null
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "Win.Trojan.Tofsee-7102058-0",
"display_name": "Win.Trojan.Tofsee-7102058-0",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "TA0002",
"name": "Execution",
"display_name": "TA0002 - Execution"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Government",
"Healthcare",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 138,
"FileHash-SHA1": 119,
"FileHash-SHA256": 3553,
"IPv4": 633,
"CVE": 2,
"URL": 6134,
"domain": 2439,
"hostname": 2271,
"email": 9,
"SSLCertFingerprint": 2
},
"indicator_count": 15300,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "9 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d44e822d2ff4468662199e",
"name": "Habo Analysis System",
"description": "The full text of the file: C:\\WINDOWS\\Microsoft.NET.IE5 (C1OS62) \u00c2\u00a31.3m, or $2.4m.",
"modified": "2026-04-11T02:17:54.186000",
"created": "2026-04-07T00:23:30.608000",
"tags": [
"tickcount",
"detail info",
"behaviour",
"milliseconds",
"filename",
"offset",
"processid",
"threadid",
"startaddress",
"parameter",
"window",
"class",
"shell",
"find",
"open",
"cname",
"accept",
"cape sandbox",
"t1055",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"report time",
"machine name",
"shutdown",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/8067742d1522de2b7ba28e4e74c4b744250fd330f1bb1a8cde417bef9cdafd37_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520837&Signature=Go%2Bka47KzKvakZea0EmagUuP0OWh9V218ewUgZ%2Faw6M7pocMFDFrIDav5VtR9Zio%2FnNGsl99DUwEN14cvVE7xFktf16MgpylRiss4YfSqpp0kXGWU%2BlRKNNAdSzfobegdD5OHqd3hM2tavGxphIP%2BmeX2wwu3XsT%2Bs5Ir3L0x5GzuVkt%2B%2FpARLvo51yBA6wyZOEi%2F6likFEEQ7uFPK%2BbBDFOnHrBEz4y90df8SLfru",
"https://vtbehaviour.commondatastorage.googleapis.com/e70b290a30880da2be3d60f803d6ae189f8ab46eb3c4dc7f3e6ca177923fbb49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520941&Signature=h5%2FgwYUpokbT4eHKeAWuE72UbZFEEYsd98oEaFn3qiPxhA3bX3NSlg0zxhcg2C07mStxSFaVptGw5amxMORIQGJ%2FSd7%2FkTZQErlFkVyqI1MyEbDguixd0wuguavTtw0sAESw9gnbksrcvHOaDyKeGXVk42RySgzx%2FN7%2BJ3y8TQdhu89TFSD2%2FMBV%2BYkqiBsjloK7sdemw5o%2BfDb9JssITk1r941iTxSgRRumYz%2F0EiLU"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 314,
"IPv4": 23,
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"hostname": 114,
"URL": 164,
"domain": 66
},
"indicator_count": 685,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "9 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a82c54067ca1d502b1eb6c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain)",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion.\nThe conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. In Infra/Bank/Gov sectors, TTB executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos",
"modified": "2026-04-10T21:08:46.934000",
"created": "2026-03-04T12:57:56.738000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 222,
"CVE": 4,
"URL": 363,
"domain": 108,
"IPv4": 33,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20
},
"indicator_count": 855,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d87573143e567e8503beda",
"name": "CAPE Sandbox - Google Domain Browser",
"description": " Some insight on a browser sandbox. mitm.",
"modified": "2026-04-10T04:08:36.918000",
"created": "2026-04-10T03:58:43.549000",
"tags": [
"title",
"doctype html",
"google",
"ce62bb",
"style",
"error",
"image",
"mitre attack",
"network info",
"performs dns",
"urls",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"phishing",
"next",
"ip traffic",
"msft",
"msft nethandle",
"net1500000",
"server",
"corporation",
"chaturmohta",
"orgroutingref",
"orgabusehandle",
"microsoft abuse",
"orgabuseref",
"microsoft",
"orgid",
"msft address",
"microsoft way",
"city",
"stateprov",
"postalcode",
"thumbprint"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/85b04c04a7046a296d77251f2236ad5e7ce32fbaab17c590ef372bf00497fbd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775792988&Signature=M1J9CaQkigeg5YRUts8g89wpgmwVxVFRSm9L7fFYPqBizkGksAY%2BQXAESjDzcmPanQSRoqOJXy9yNcu%2F4pPkcUbFtUg8oheQzdL2ebI2eOElYvDV8Mh1Su0AthuKtQT2eC0LsybOE1tRIZO7gxtwxN1CpF5ZhSdES8HaMIFIPL7xsOgmhx4IrdEtjDVHMSCRHnIPuGzO4aQn%2Bl4mga3fI%2FyYiJoFWyMh3OiTXZi%2FidlmFFy9IZTT",
"https://vtbehaviour.commondatastorage.googleapis.com/85b04c04a7046a296d77251f2236ad5e7ce32fbaab17c590ef372bf00497fbd5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775793011&Signature=Obu7zDEJiUY4g9RFOhUIFYbnTGp8YMLvwJCCIR8YL6KFoTrbPiqoltMTn%2FJbTCwl%2Bxky0XNZLQJ2Bj5RCjBwsG382Ckn5T596CYG%2Fk%2B%2FZl5rfYfzgjGwaLT5bO0t%2B6nmKGUTqsZuubwpBtp2leCiw6rVYimL8xulbJF30wh5qDBfH4u%2FsGJrRnSd%2BHiu%2B8YWf%2B39QE9Q%2BazzeRFrq7Jt4DDRRC%2FXY2D1GdxmPzPrYkI4c7"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 119,
"IPv4": 81,
"FileHash-SHA1": 114,
"FileHash-SHA256": 543,
"domain": 122,
"hostname": 411,
"URL": 721,
"CIDR": 3,
"email": 6
},
"indicator_count": 2120,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-04-09T07:29:31.205000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"IPv4": 177,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6c7fec016b76d49ed95ae",
"name": "VirusTotal report\n for index.html",
"description": "shatter",
"modified": "2026-04-08T22:10:44.517000",
"created": "2026-04-08T21:26:22.351000",
"tags": [
"performs dns",
"united",
"https",
"found",
"tls version",
"mitre attack",
"network info",
"processes extra",
"urls",
"t1055 process",
"phishing",
"next",
"script",
"doctype html",
"variablece2034",
"head"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
"https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 283,
"domain": 442,
"FileHash-MD5": 245,
"FileHash-SHA1": 201,
"FileHash-SHA256": 573,
"URL": 570,
"hostname": 1058,
"email": 3,
"SSLCertFingerprint": 2
},
"indicator_count": 3377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "11 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d586108786e7be59439809",
"name": "Bot.io",
"description": "",
"modified": "2026-04-07T22:32:48.996000",
"created": "2026-04-07T22:32:48.996000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69d5859750dfad7fe7989ef4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d5859750dfad7fe7989ef4",
"name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer",
"description": "",
"modified": "2026-04-07T22:30:47.312000",
"created": "2026-04-07T22:30:47.312000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d44e7fab061e3364bdf1bf",
"name": "Habo Analysis System",
"description": "The full text of the file: C:\\WINDOWS\\Microsoft.NET.IE5 (C1OS62) \u00c2\u00a31.3m, or $2.4m.",
"modified": "2026-04-07T00:23:27.374000",
"created": "2026-04-07T00:23:27.374000",
"tags": [
"tickcount",
"detail info",
"behaviour",
"milliseconds",
"filename",
"offset",
"processid",
"threadid",
"startaddress",
"parameter",
"window",
"class",
"shell",
"find",
"open",
"cname",
"accept",
"cape sandbox",
"t1055",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"report time",
"machine name",
"shutdown",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/8067742d1522de2b7ba28e4e74c4b744250fd330f1bb1a8cde417bef9cdafd37_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520837&Signature=Go%2Bka47KzKvakZea0EmagUuP0OWh9V218ewUgZ%2Faw6M7pocMFDFrIDav5VtR9Zio%2FnNGsl99DUwEN14cvVE7xFktf16MgpylRiss4YfSqpp0kXGWU%2BlRKNNAdSzfobegdD5OHqd3hM2tavGxphIP%2BmeX2wwu3XsT%2Bs5Ir3L0x5GzuVkt%2B%2FpARLvo51yBA6wyZOEi%2F6likFEEQ7uFPK%2BbBDFOnHrBEz4y90df8SLfru",
"https://vtbehaviour.commondatastorage.googleapis.com/e70b290a30880da2be3d60f803d6ae189f8ab46eb3c4dc7f3e6ca177923fbb49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520941&Signature=h5%2FgwYUpokbT4eHKeAWuE72UbZFEEYsd98oEaFn3qiPxhA3bX3NSlg0zxhcg2C07mStxSFaVptGw5amxMORIQGJ%2FSd7%2FkTZQErlFkVyqI1MyEbDguixd0wuguavTtw0sAESw9gnbksrcvHOaDyKeGXVk42RySgzx%2FN7%2BJ3y8TQdhu89TFSD2%2FMBV%2BYkqiBsjloK7sdemw5o%2BfDb9JssITk1r941iTxSgRRumYz%2F0EiLU"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 314,
"IPv4": 23,
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"hostname": 110,
"URL": 154,
"domain": 64
},
"indicator_count": 669,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "13 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d366448691fa5dc09cc8ad",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:54:40.511000",
"created": "2026-04-06T07:52:35.998000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1,
"CVE": 1
},
"indicator_count": 1394,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d36643aecd94c5482eaac1",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:52:35.647000",
"created": "2026-04-06T07:52:35.647000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1
},
"indicator_count": 1393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d366420a9e0656d003c295",
"name": "CAPE Sandbox",
"description": "GoDaddy.com, LLC, is the owner of the GoDaddy website, which has registered more than 200,000 domain names and addresses since the 1990s, including the name of PEGASUS.",
"modified": "2026-04-06T07:52:34.721000",
"created": "2026-04-06T07:52:34.721000",
"tags": [
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"key identifier",
"x509v3 subject",
"number",
"cus starizona",
"cngo daddy",
"authority",
"g2 validity",
"subject public",
"key info",
"key algorithm",
"domain name",
"status",
"abuse contact",
"email",
"registrar iana"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1221",
"name": "Template Injection",
"display_name": "T1221 - Template Injection"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 64,
"FileHash-MD5": 152,
"FileHash-SHA1": 16,
"FileHash-SHA256": 552,
"URL": 326,
"domain": 69,
"hostname": 213,
"email": 1
},
"indicator_count": 1393,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1f8041acb7d71607578f3",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-05T06:02:06.057000",
"created": "2026-04-05T05:49:56.708000",
"tags": [
"verisign",
"verisign class",
"display driver",
"verisign trust",
"network o",
"pulses",
"code signing",
"mon feb",
"public primary",
"digital id",
"class",
"win32 exe",
"pe32",
"ms windows",
"icons library",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"status",
"issuer verisign",
"ca valid",
"from",
"valid",
"valid usage",
"algorithm",
"thumbprint",
"ca status",
"g5 valid",
"verisign status",
"valid issuer",
"client auth",
"hash",
"cf b8",
"b7 b4",
"a8 f0",
"ab c5",
"bb f6",
"f7 a3",
"name verisign",
"g5 issuer",
"microsoft code",
"valid from",
"thumbprint md5",
"serial number",
"ec f2",
"init",
"copyright",
"product monitor",
"original name",
"file version",
"word document",
"file v2",
"document",
"outlook",
"settings",
"generic ole2",
"multistream",
"compound",
"time stamping",
"signer",
"g4 issuer",
"symantec time",
"stamping",
"g2 valid",
"open xml",
"zip archive",
"word microsoft",
"office open",
"xml format",
"open packaging",
"cf f4",
"c8 fe",
"digicert sha2",
"assured id"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 71,
"FileHash-SHA1": 54,
"FileHash-SHA256": 1900,
"URL": 684,
"IPv4": 135,
"hostname": 657,
"domain": 387
},
"indicator_count": 3888,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "15 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d1f8066431fee3647fa5ff",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-05T05:53:01.644000",
"created": "2026-04-05T05:49:58.156000",
"tags": [
"verisign",
"verisign class",
"display driver",
"verisign trust",
"network o",
"pulses",
"code signing",
"mon feb",
"public primary",
"digital id",
"class",
"win32 exe",
"pe32",
"ms windows",
"icons library",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"status",
"issuer verisign",
"ca valid",
"from",
"valid",
"valid usage",
"algorithm",
"thumbprint",
"ca status",
"g5 valid",
"verisign status",
"valid issuer",
"client auth",
"hash",
"cf b8",
"b7 b4",
"a8 f0",
"ab c5",
"bb f6",
"f7 a3",
"name verisign",
"g5 issuer",
"microsoft code",
"valid from",
"thumbprint md5",
"serial number",
"ec f2",
"init",
"copyright",
"product monitor",
"original name",
"file version",
"word document",
"file v2",
"document",
"outlook",
"settings",
"generic ole2",
"multistream",
"compound",
"time stamping",
"signer",
"g4 issuer",
"symantec time",
"stamping",
"g2 valid",
"open xml",
"zip archive",
"word microsoft",
"office open",
"xml format",
"open packaging",
"cf f4",
"c8 fe",
"digicert sha2",
"assured id"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 71,
"FileHash-SHA1": 54,
"FileHash-SHA256": 1900,
"URL": 684,
"IPv4": 135,
"hostname": 657,
"domain": 387,
"CVE": 6
},
"indicator_count": 3894,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "15 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d0f3013ab8f8fb20d6f6cc",
"name": "VirusTotal report\n for report.eml",
"description": "A security alert for the Verizon Hanover cell phone store in Massachusetts has been triggered by a \"pulses\" created on the site by its owner, the company's parent company, Verizon.><<>>> abuse of power",
"modified": "2026-04-04T09:52:33.171000",
"created": "2026-04-04T09:50:01.067000",
"tags": [
"non dsp",
"cor cura",
"cookie",
"dynamic",
"status code",
"body length",
"kb body",
"sha256",
"gz6mbt0grch",
"utc ua743607001",
"acceptencoding",
"toggle",
"nxdomain",
"windows",
"analysis",
"files mitre",
"xe9xaf",
"jyx9611xb1",
"xe3xfcxfexabe",
"source source",
"file name",
"strings",
"first",
"path",
"enterprise",
"service",
"close",
"richard massina",
"rocketreach",
"email",
"phone number",
"clifford",
"kenny",
"llp associate",
"get richard",
"massina",
"information og",
"file type",
"sigma",
"united",
"https",
"mitre attack",
"network info",
"windows folder",
"office macro",
"creates",
"office outbound",
"phishing",
"malicious",
"next",
"settings",
"first counter",
"default",
"inprocserver32",
"inprochandler32",
"mbisslshort",
"bearer",
"cname",
"mwdb",
"bazaar",
"bridge",
"info",
"accept",
"date",
"agent",
"shutdown",
"root",
"secchuamodel",
"excellent",
"windows sandbox",
"calls process",
"hull times",
"carol britton",
"meyer",
"kenny law",
"town counsel",
"james lampke",
"june",
"hiring",
"performs dns",
"urls",
"found",
"belgium",
"processes extra",
"t1055 process",
"script",
"hull",
"head",
"title",
"nothing",
"file execution",
"error",
"parent pid",
"full path",
"command line",
"registry keys",
"error reporting",
"registrya",
"localsm0504064"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 407,
"domain": 195,
"hostname": 309,
"FileHash-SHA256": 607,
"IPv4": 98,
"FileHash-MD5": 306,
"FileHash-SHA1": 31,
"email": 1,
"YARA": 1,
"CVE": 1
},
"indicator_count": 1956,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "16 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind",
"IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"euw-serp-dev-testing19.duck.ai",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"People who exploit this put the US at risk. Bottom line.",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password",
"BearShare Install File Version 12.0.0.135802",
"xn--cloud-4sa.com",
"https://vtbehaviour.commondatastorage.googleapis.com/e70b290a30880da2be3d60f803d6ae189f8ab46eb3c4dc7f3e6ca177923fbb49_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520941&Signature=h5%2FgwYUpokbT4eHKeAWuE72UbZFEEYsd98oEaFn3qiPxhA3bX3NSlg0zxhcg2C07mStxSFaVptGw5amxMORIQGJ%2FSd7%2FkTZQErlFkVyqI1MyEbDguixd0wuguavTtw0sAESw9gnbksrcvHOaDyKeGXVk42RySgzx%2FN7%2BJ3y8TQdhu89TFSD2%2FMBV%2BYkqiBsjloK7sdemw5o%2BfDb9JssITk1r941iTxSgRRumYz%2F0EiLU",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"Verification failure observed in automated verification handlers during sandbox replay.",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"www.fireeye.com .",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com",
"Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"Musiclab, LLC",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"Win.Malware.Salat-10058846-0",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"Yara Detections: Tofsee",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"Micro - Dates to look for specific: April/May/June 2025",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"https://vtbehaviour.commondatastorage.googleapis.com/85b04c04a7046a296d77251f2236ad5e7ce32fbaab17c590ef372bf00497fbd5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775793011&Signature=Obu7zDEJiUY4g9RFOhUIFYbnTGp8YMLvwJCCIR8YL6KFoTrbPiqoltMTn%2FJbTCwl%2Bxky0XNZLQJ2Bj5RCjBwsG382Ckn5T596CYG%2Fk%2B%2FZl5rfYfzgjGwaLT5bO0t%2B6nmKGUTqsZuubwpBtp2leCiw6rVYimL8xulbJF30wh5qDBfH4u%2FsGJrRnSd%2BHiu%2B8YWf%2B39QE9Q%2BazzeRFrq7Jt4DDRRC%2FXY2D1GdxmPzPrYkI4c7",
"APKMirror https://www.apkmirror.com",
"Proton.me/Zenbox: Audit July 2025",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"http://www.phonefactor.com/PfPaWs/ConfirmActivation",
"Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"Yara detected: Xmrig cryptocurrency miner",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x",
"When your pulse says contacted, who is contacted besides OTX?",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Germany, Austria, and Switzerland GmbH",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Are these table SolarWinds attackers? Using same tacktics, good? Unsure.",
"Researching using an easy powerful tool like this has led to confrontations.",
"/etc/systemd/system/geomi.service File type: ASCII text",
"About pulse, found in peripheral.",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"account-apple.com",
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"https://vtbehaviour.commondatastorage.googleapis.com/85b04c04a7046a296d77251f2236ad5e7ce32fbaab17c590ef372bf00497fbd5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775792988&Signature=M1J9CaQkigeg5YRUts8g89wpgmwVxVFRSm9L7fFYPqBizkGksAY%2BQXAESjDzcmPanQSRoqOJXy9yNcu%2F4pPkcUbFtUg8oheQzdL2ebI2eOElYvDV8Mh1Su0AthuKtQT2eC0LsybOE1tRIZO7gxtwxN1CpF5ZhSdES8HaMIFIPL7xsOgmhx4IrdEtjDVHMSCRHnIPuGzO4aQn%2Bl4mga3fI%2FyYiJoFWyMh3OiTXZi%2FidlmFFy9IZTT",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"http://console.applemarketingtools.com/",
"An earlier version contacted entities affected or affecting targets.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%",
"africa.konnect.com",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"https://vtbehaviour.commondatastorage.googleapis.com/8067742d1522de2b7ba28e4e74c4b744250fd330f1bb1a8cde417bef9cdafd37_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775520837&Signature=Go%2Bka47KzKvakZea0EmagUuP0OWh9V218ewUgZ%2Faw6M7pocMFDFrIDav5VtR9Zio%2FnNGsl99DUwEN14cvVE7xFktf16MgpylRiss4YfSqpp0kXGWU%2BlRKNNAdSzfobegdD5OHqd3hM2tavGxphIP%2BmeX2wwu3XsT%2Bs5Ir3L0x5GzuVkt%2B%2FpARLvo51yBA6wyZOEi%2F6likFEEQ7uFPK%2BbBDFOnHrBEz4y90df8SLfru",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"Y2K",
"https://vtbehaviour.commondatastorage.googleapis.com/4fa978df1c61592b3d336a76d8a324507c53e726ccf8fd6bfb219efbabc0fa1c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1773742155&Signature=hmgsQvN6lvSJyMCNIRlWZtk97Xz8JirhWIy72PW5KMpXxyVdg3UanGZ9B%2Bp5n0vJ2KoDKxNkrHyxCWxJpF%2FHxCWQ0WRi05hwyk12d%2BOgtqEnCWKOR6LvEhM8Hxs0Q1dklaSxX%2BEOkqPKpQ5UWYdBds%2FLuiH66TsmSkpXhX9joyRDpwX6pqSNNruY%2Bf6favP5xtlRMjuIAdb2%2BhVa8WzfsDWh%2BTzjkaFxLKA4YP2tE8m35pH6BRG6wl",
"https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo",
"Spellbinding! Indeed. SpellEditor.exe",
"Digi/Global Sign - audit 2020 digital intersect",
"Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org",
"This would be sent in an email but \u2026.",
"https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Yara Detections: MacSync_AppleScript_Stealer",
"danilovstyle.ru",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"Gatsby Library Loader, DLL",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"Zercega \u2022 multi-user.target",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"b9e4e47c3f96846c30581c08acf5bc56.virus",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"Alerts: checks_debugger has_pdb raises_exception",
"Zercega \u2022 ootheca.pw",
"Zercega \u2022 IPv4 84.54.51.82",
"https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c",
"ns4-04.azure-dns.info",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"I did not clone my pulse to read Bit.io",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"gateway.fe.apple-dns.net \u2022 apple-dns.net",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"http://cab.applemarketingtools.com",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"France",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"http://www.bing.lt/search?q=",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"ids-apple.com \u2022 itunes.org",
"https://hypic-anaivsis.com/sambrerb/a0p9veebo",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:",
"Issue! Multiple IoC\u2019s missing.",
"com.iobit.MacBooster-3",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"Entrust to Sectigo- Review vendors",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"Crowdsourced IDS rules:",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"This document might expose someone, more than another.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"asp.net \u2022 cdnsrc.asp.net",
"IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"meta.com \u2022 meta.com.apple",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"www.fireeye.com",
"Tulach\u2019s ASP.Net Open Source destruction",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [],
"malware_families": [
"Pathwiper",
"Virus:win32/floxif.h",
"Cve-2023-22518",
"Worm:win32/autorun!atmn",
"Zergeca",
"Win.packed.bandook-9882274-1",
"Ransom:win32/cve-2017-0147",
"Win.trojan.emotet-9850453-0",
"Trojan:win32/comisproc!gmb i",
"Win.trojan.tofsee-7102058-0",
"Ransom:win32/sodinokibicrypt.sk!mtb",
"Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t",
"Cve-2025-20393",
"Xored",
"Botnet",
"Win32/searchsuite",
"Trojan.dukes/xmldrp",
"Exploit:win32/cve-2017-0147",
"Trojandownloader:win32/cutwail",
"Cve-2014-2321",
"Win.malware.salat-10058846-0",
"Cve-2024-6387",
"Autoit",
"Backdoor:win32/tofsee.t",
"Cve-2018-10562",
"Win.ransomware.tofsee-10015002",
"Win32.application.bearshare.a",
"Alf:jasyp:trojandownloader:win32/smallagent!"
],
"industries": [
"Technology",
"Healthcare",
"Telecommunications",
"Government",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-19T09:34:35.173000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2805,
"FileHash-SHA1": 2568,
"FileHash-SHA256": 7488,
"domain": 1883,
"hostname": 1466,
"URL": 1179,
"email": 46,
"CVE": 46,
"CIDR": 3,
"YARA": 7,
"IPv4": 94,
"JA3": 1
},
"indicator_count": 17586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d9675a25be662c17cd3a9c",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-04-19T09:06:31.781000",
"created": "2026-04-10T21:10:50.646000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"No Problems"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 70,
"hostname": 227,
"CVE": 4,
"URL": 368,
"domain": 110,
"IPv4": 34,
"FileHash-MD5": 5,
"FileHash-SHA1": 26,
"CIDR": 4,
"email": 20,
"JA3": 1
},
"indicator_count": 869,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d967590f40c612c90ce84f",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-04-19T09:05:10.432000",
"created": "2026-04-10T21:10:49.749000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"APKmirror",
"ILOVEYOUBABY",
"No Problems",
"Christmas Tree EXEC Code Red worm Computer virus Nimda",
"Wanna Cry",
"APK",
"DC RAT",
"Emotnet",
"Redline Swiper",
"Open Door",
"Bankers Document",
"Y2K",
"wsscript.exe, VBE",
"Compliance Lock Trap",
"Globalsign 2020 (potentially exploited)",
"Heuristic Smear",
"Gatsby Library Loader DLL",
"w31999",
"UofA"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Micro - Dates to look for specific: April/May/June 2025",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Entrust to Sectigo- Review vendors",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Digi/Global Sign - audit 2020 digital intersect",
"Proton.me/Zenbox: Audit July 2025",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Y2K",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"France",
"Germany, Austria, and Switzerland GmbH",
"Gatsby Library Loader, DLL",
"Spellbinding! Indeed. SpellEditor.exe"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3516,
"hostname": 1614,
"CVE": 7,
"URL": 1806,
"domain": 1416,
"IPv4": 888,
"FileHash-MD5": 731,
"FileHash-SHA1": 787,
"CIDR": 6,
"email": 27,
"IPv6": 10,
"JA3": 2
},
"indicator_count": 10810,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69bf8219dabe3eb8bd65d4d2",
"name": "The Wizard",
"description": "search\n=gws-wiz-serp",
"modified": "2026-04-19T07:04:07.090000",
"created": "2026-03-22T05:46:01.123000",
"tags": [
"html internet",
"html document",
"language"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 285,
"FileHash-SHA1": 144,
"FileHash-SHA256": 255,
"URL": 184,
"hostname": 84,
"domain": 51,
"IPv4": 55,
"IPv6": 8,
"email": 2
},
"indicator_count": 1068,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e30d748895cd7a5746fd20",
"name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research",
"description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"modified": "2026-04-18T04:49:56.011000",
"created": "2026-04-18T04:49:56.011000",
"tags": [
"injection",
"removal",
"manipulation",
"apt29",
"lab52",
"avertium",
"ukraine",
"magicweb",
"nato",
"solarwinds",
"snowyamber",
"halfrig",
"quarterrig",
"orion",
"team",
"ransomware",
"mimikatz",
"magicweb",
"hijack",
"cobalt strike",
"trojan",
"dropper",
"dukes",
"malware",
"ylarv",
"drop",
"msdos",
"stub",
"rareencoding",
"memory pattern",
"communication",
"urls http",
"hashes",
"client execut",
"modify registry",
"preos boot",
"technir process",
"artifacts v",
"v help",
"rootkit",
"os credential",
"response",
"nxdomain",
"name n",
"dumping",
"sigma",
"use short",
"name path",
"creates",
"query firmware",
"verdict",
"report",
"malicious",
"defense evasion",
"network info",
"process",
"system",
"hostname"
],
"references": [
"https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered",
"https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f",
"I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting",
"XOR_embeded_exefile_xored_with_round_256_bytes_key",
"FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->",
"Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message",
"YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth",
"YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth",
"YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth",
"YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth",
"YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth",
"SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali",
"Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.",
"kefas.id: Crowdsourced Sigma below | Malicious Score High",
"Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29",
"Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner",
"Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |",
"Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Norway",
"Ukraine",
"Poland"
],
"malware_families": [
{
"id": "Xored",
"display_name": "Xored",
"target": null
},
{
"id": "Trojan.Dukes/Xmldrp",
"display_name": "Trojan.Dukes/Xmldrp",
"target": null
}
],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1542.003",
"name": "Bootkit",
"display_name": "T1542.003 - Bootkit"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1552",
"name": "Unsecured Credentials",
"display_name": "T1552 - Unsecured Credentials"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 23,
"URL": 34,
"hostname": 97,
"FileHash-MD5": 32,
"FileHash-SHA1": 29,
"FileHash-SHA256": 138,
"CVE": 4,
"IPv4": 24
},
"indicator_count": 381,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "2 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f53e6b3e17deca1277b7",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:56.823000",
"created": "2026-04-17T08:54:22.034000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 98,
"URL": 562,
"hostname": 313,
"domain": 105,
"IPv6": 2,
"email": 2,
"YARA": 1
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f52e424e1151ddd9c696",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:55.719000",
"created": "2026-04-17T08:54:06.864000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 714,
"FileHash-MD5": 128,
"FileHash-SHA1": 152,
"IPv4": 98,
"URL": 692,
"hostname": 456,
"domain": 121,
"IPv6": 2,
"email": 2,
"YARA": 5
},
"indicator_count": 2370,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f540bec93625fc7c7466",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T01:05:57.196000",
"created": "2026-04-17T08:54:24.226000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 97,
"URL": 561,
"hostname": 316,
"domain": 105,
"IPv6": 2,
"email": 2
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69e1f540aa36f336eb92ff53",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T00:53:20.700000",
"created": "2026-04-17T08:54:24.517000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 860,
"FileHash-MD5": 180,
"FileHash-SHA1": 224,
"IPv4": 97,
"URL": 639,
"hostname": 362,
"domain": 107,
"IPv6": 2,
"email": 2
},
"indicator_count": 2473,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "cloud.microsoft",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "cloud.microsoft",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776722217.0783298
}